Solana-Based Defi Protocol Mango Markets Loses $117 Million in Hack, Exploit Allegedly Revealed in Project’s Discord in March
According to various reports, the Solana-based trading and lending platform Mango Markets was hacked as a malicious actor was able to siphon $117 million from the protocol. An analysis of the hack published by Certik explains that the attacker manipulated the price of the project’s native token mango (MNGO) which allowed them to borrow $117 million against the exploited collateral.
Mango Markets Hacked for $117 Million, Blockchain Security Firm Summarizes the Attack Vector
On Tuesday, the Solana-based Mango Markets platform was hacked for $117 million. The team tweeted about the issue at 7:36 p.m. (ET) on October 11. “We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation,” the Mango Market’s Twitter account detailed. “We are taking steps to have third parties freeze funds in flight. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.”
The blockchain security and auditing firm Certik summarized the Mango Market hack in a post mortem and the team explained that the hacker was able to manipulate the token mango (MNGO). “The attacker used two addresses to manipulate the price of MNGO – Mango’s native token and collateral asset – from $0.038 to a peak of $0.91,” Certik explained in a note sent to Bitcoin.com News. “This allowed them to borrow heavily against their $MNGO collateral, which they did so to the tune of approximately $117 million, though this figure is fluctuating due to the prices of affected tokens reacting to the news.”
On October 11, 2022 at 11:19 PM UTC, Mango Market was attacked for a total loss of roughly ~$116M.
The attacker was able to manipulate the price of the MNGO token and exploitatively borrowed more assets than what they were supposed to be able to.
— CertiK Alert (@CertiKAlert) October 12, 2022
According to the blockchain security firm Hacken, the hacker started with roughly $5 million in USDC to accomplish the goals. The official Mango Market Twitter account confirmed that two accounts funded with USDC took out a massive long position in “MNGO-PERP.” “Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes,” Mango said. Mango further added that no oracle providers were at fault for the incident. The team stressed:
We want to clarify and add mention here that neither oracle providers have any fault here. The oracle price reporting worked as it should have.
Meanwhile, the blockchain security and auditing firm Certik has disclosed that the attack vector was allegedly known as early as March 2022. “The vulnerability here stemmed from the thin liquidity on the MNGO/USDC market, which was used as the price reference for the MNGO perpetual swap,” Certik’s summary adds. “With only a few million USDC at their disposal, the attacker was able to pump the price of MNGO by 2,394%. This exact attack vector was apparently raised in Mango’s Discord channel back in March of this year,” the Certik post-mortem concludes.
What do you think about the Mango Markets exploit? Let us know what you think about this subject in the comments section below.