The $100 million exploit of Solana-based decentralized protocol Mango Markets has sent the value of its native token MNGO and that of SOL spiraling down over the last 24 hours.
CryptoSlate data shows that the MNGO token fell more than 40% in the last 24 hours to $0.02396. During this period, SOL also shed roughly 1% of its value to trade at $31.
Meanwhile, the total value of assets locked in Solana dropped 23% to $997 million from $1.32 billion, according to DeFillama data. This is the first time Solana’s TVL has fallen below $1 billion since July 2021.
The exploit
Mango Market stated that the hacker manipulated MNGO’s value by taking an outsized position in MNGO-PERP and counter-traded themselves with another account. This led to the USD value of MNGO rising on various exchanges.
Around 22:00 UTC October 11th the 🥭 protocol had an incident involving the following:
-2 accounts funded with USDC took an outsized position in MNGO-PERP
-Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes
— Mango (@mangomarkets) October 12, 2022
The price oracles Switchboard and Pyth increased the benchmark MNGO price based on this, causing a “mark-to-market increase in the value of the account that was long MNGO-PERP from the unrealized profit.”
This allowed the hacker to withdraw $100 million worth of assets which was all the liquidity on the protocol.
Blockchain security firm OtterSec wrote that the attacker manipulated Mango’s collateral, which allowed him to take out massive loans from the treasury.
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022
Hacker makes proposal
The hacker has released his terms for returning the funds through a proposal submitted to the DAO.
According to the hacker, Mango should repay bad debts using its treasury’s $70 million USDC. The bad debt in the proposal comes from a bailout by Mango Markets and Solend for a Solana whale with about $207 million in debt across multiple lending platforms on Solana.
The lending protocols had put together a bailout to protect the market from the risk of contagion if the whale positions were to be liquidated.
The proposal states, “any bad debt will be viewed as a bug bounty/insurance, paid out of the mango insurance fund.” The hacker also asks that Mango token holders waive their right to pursue any potential claims against accounts with bad debt.
He also wants assurance that no criminal action or freezing of funds would occur. As of press time, 33 million votes (99%) support the proposal.
Meanwhile, a Twitter user, foobar, pointed out that the “yes” votes were coming from the attacker. The hacker would need at least 67 million more votes to reach a quorum.
nvm the yes votes are coming mainly from the attacker 😭
— foobar (@0xfoobar) October 12, 2022
Mango Markets response
Mango Markets’ team has said its primary focus is to prevent further losses, ensure depositors are made whole and salvage some value for the protocol.
🥭 DAO priorities are:
➡️ Preventing any further unnecessary losses (already achieved by halting program instructions)
➡️ To make sure depositors of the Mango protocol are made whole
➡️ To try and salvage some value in Mango DAO and protocol to rebuild from here
— Mango (@mangomarkets) October 12, 2022
The platform has also now been frozen to prevent further deposits.
Source: https://cryptoslate.com/solana-tvl-tanks-23-following-100m-mango-market-hack/