Solana DeFi trading platform Mango Markets loses $100 million in hack


In the second $100 million DeFi hack this week, Mango Markets was drained of $100 million in funds due to an exploit. Mango Markets tweeted on Tuesday evening that a hacker was able to drain funds from Mango via oracle price manipulation.

Last Thursday alone, $100 million was stolen from Binance Smart Chain, another DeFi protocol.

According to blockchain audit website OtterSec, the attacker temporarily increased the value of his collateral and then took out loans from Treasury Mango.

Mango Markets is a Solana-based platform for trading digital assets on the Solana blockchain for spot margin and perpetual futures trading. Mango Markets is governed by Mango DAO.

“It’s a flaw in economic design,” said OtterSec founder Robert Chen. Decrypt via Telegram, adding that this is a risk that Mango Markets had already acknowledged.

“At 6:19 p.m. ET, an attacker funded Account A with 5mm USDC collateral,” tweeted Genesis Global Trading Head of Derivatives Joshua Lim.

As Lim explained, the attacker then offered 483 million units of MNGO perps (perpetual contracts) on the order book of Mango Markets. Then at 6:24 PM ET, the attacker funded another account with 5 million USDC collateral to buy those 483 million units of MNGO perps for $0.03 per unit.

At 6:26 p.m. ET, the striker began moving the spot market price of the mango, pushing the price to $0.91 and the value of MNGO’s 483 million to $423 million.

The striker then took out a $116m loan, leaving Mango’s treasury with a negative balance of -116.7m. Assets drained include USDC, MSOL, SOL, BTC, USDT, SRM and MNGO, wiping out all of Mango’s cash.

In response, Mango Markets claims to have disabled deposits and taken steps to freeze third-party funds.

A Twitter user noted that the attacker was funded to the tune of $5.5 million by FTX, prompting FTX CEO Sam Bankman-Fried to respond that the company was investigating.

Mango Markets offered the attacker the chance to collect a bug bounty in exchange for returning the stolen funds.

Stay up to date with crypto news, get daily updates delivered to your inbox.


About Author

Comments are closed.