Mango Markets Hack Sees Attacker Siphon Off $117 Million

According to several news reports, Solana-based trading and lending platform Mango Markets was the target of a significant hack. The attacker was able to siphon off a staggering $117 million from the Solana-based protocol. 

The hack comes only a week after an attack on the BNB Chain, which saw the attacker drain $100 million from the protocol. 

The $117 Million Hack 

Solana-based Mango Markets was hacked for $117 million on Tuesday. The team informed users about the incident on the 11th of October, tweeting that they were investigating the hack and freezing the funds associated with the hacker. They also added that deposits would be frozen as a precautionary measure. 

“We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We are taking steps to have third parties freeze funds in flight. We will be disabling deposits on the front end as a precaution and will keep you updated as the situation evolves.”

According to the blockchain auditing website OtterSec, the attacker was able to drive up the value of their collateral before taking loans from the Mango treasury. 

“It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value and then took out massive loans from the Mango treasury.”

Robert Chen, the founder of OtterSec, stated that the hack was due to an economic design flaw. He further added that Mango Markets had already acknowledged this risk. 

Details Of The Hack 

Blockchain security and auditing firm Cetik published a detailed post-mortem of the Mango Market hack, explaining how the hacker could exploit the token and carry out the hack. 

“The attacker used two addresses to manipulate the price of MNGO – Mango’s native token and collateral asset – from $0.038 to a peak of $0.91. This allowed them to borrow heavily against their $MNGO collateral, which they did so to the tune of approximately $117 million, though this figure is fluctuating due to the prices of affected tokens reacting to the news.”

Blockchain security firm Hacken shared more details, adding that the hacker started with $5 million in USDC to carry out the attack. This was confirmed by Mangi Market’s official Twitter account, which tweeted that two accounts funded by USDC had taken long positions in MNGO-PERP. Mango added that MNGO/USD prices on a host of exchanges, such as FTX, experienced a 5x-10x increase within minutes. The Mango team added that no oracle providers were at fault, stating that the oracle price worked as it was meant to work. 

“We want to clarify and mention here that neither oracle providers have any fault here. The oracle price reporting worked as it should have.”

Vulnerability Already Known To Mango 

Security and auditing firm Certik revealed that they had disclosed this vulnerability to Mango as early as March 2022, when the topic was raised in the lending platform’s Discord channel. 

“The vulnerability here stemmed from the thin liquidity on the MNGO/USDC market, which was used as the price reference for the MNGO perpetual swap. With only a few million USDC at their disposal, the attacker was able to pump the price of MNGO by 2,394%. This exact attack vector was apparently raised in Mango’s Discord channel back in March of this year. 

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice. 

Source: https://cryptodaily.co.uk/2022/10/mango-markets-hack-sees-attacker-siphon-off-117-million