In the second $100 million DeFi hack this week, Mango Markets was drained of $100 million in funds due to an exploit. Mango Markets tweeted Tuesday evening that a hacker was able to empty funds from Mango via an oracle price manipulation.
Only last Thursday,$100 million was stolen from the Binance Smart Chain, another DeFi protocol.
According to the blockchain auditing website OtterSec, the attacker temporarily drove up the value of their collateral and then took out loans from the Mango treasury.
Mango Markets is a Solana-based platform for trading digital assets on the Solana blockchain for spot margin and trading perpetual futures. Mango Markets is governed by Mango DAO.
“It’s an economic design flaw,” OtterSec founder Robert Chen told Decrypt via Telegram, adding that it’s a risk that Mango Markets had already acknowledged.
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022
“At 6:19 PM ET, an attacker funded account A with 5mm USDC collateral,” the Head of Derivatives at Genesis Global Trading, Joshua Lim, tweeted.
As Lim explained, the attacker subsequently offered out 483 million units of MNGO perps (perpetual contracts) on the Mango Markets order book. Then at 6:24 PM ET, the attacker funded another account with 5 million USDC collateral to buy those 483 million units of MNGO perps for $0.03 per unit.
At 6:26 PM ET, the attacker started moving the Mango spot market price, driving the price to $0.91 and the value of the 483 million MNGO to $423 million.
The attacker then took out a $116 million loan, leaving Mango’s treasury with a negative balance of -116.7 million. Assets drained include USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO, wiping out all of Mango’s liquidity.
In response, Mango Markets says it has disabled deposits and is taking steps to have third-party funds frozen.
A Twitter user noted that the attacker was funded 5.5M from FTX, prompting FTX CEO Sam Bankman-Fried to respond that the company is investigating.
Can confirm we are investigating and will take any appropriate action/etc.
— SBF (@SBF_FTX) October 12, 2022
Mango Markets has offered the attacker the chance to collect a bug bounty in exchange for returning the stolen funds.