Solana-based decentralized finance (DeFi) protocol Mango Markets has been the victim of the hack in the latest exploit. As per the details, the attacker has managed to drain more than $100 million from the DeFi protocol.
As per the details provided by the blockchain auditing website OtterSec, the attacker managed to get a large number of loans from the Mango Treasury by manipulating the DeFi protocol’s collateral. This resulted in a massive loss of funds from the Mango Treasury.
Mago Markets is a Solana-based DeFi platform that trades digital assets for spot margin and trading perpetual futures. Mango’s decentralized autonomous organization (DAO) manages the overall governance of the Mango Markets. The DeFi protocol has taken immediate cognizance of the matter noting:
We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We are taking steps to have third parties freeze funds in flight. We will be disabling deposits on the front end as a precaution and will keep you updated as the situation evolves.
Mango Markets has asked its users not to make any fresh deposits until the situation is clear. Furthermore, it is reaching out to the attacker for the return of the funds while offering some bug bounty.
Trending Stories
The Exploit of Mango Markets
Joshua Lim, the Head of Derivatives at Genesis Global Trading, has provided further details into how the hacker orchestrated the hack. He writes:
- At 6:19 PM ET, attacker funded acct A (CQvKS…) with 5mm USDC collateral.
- The attacker then offered out 483mm units of MNGO perps on the order book.
- At 6:24 PM ET, attacker funded acct B (4ND8F…) with 5mm USDC collateral to buy those 483mm units of MNGO perps, at a price of $0.0382 per unit.
- At 6:26 PM ET, attacker started to move the price of MNGO spot mkt, it traded as high as $0.91.
- At MNGO/USD price of $0.91 per unit, account B was in the money by 483mm * ($0.91 – $0.03298) = $423mm.
With this P&L, the attacker then took out $116 million in loans across all tokens. Joshua writes that the attacker wiped out all liquidity on Mango.