Everything We Know About the Mango Markets HackA Hacker Wants the People He Stole From to Approve His Theft
Things happen differently with cryptocurrency. A hacker who stole $117 million in digital assets from decentralized finance exchange Mango Markets now says they'll return the funds, but only if token holders let them keep $70 million without the possibility of criminal prosecution.
The hacker communicated their proposal on the Mango Markets decentralized governance platform and proceeded use votes tied to the stolen assets to support the proposition. The hacker was unable to unilaterally establish a quorum, meaning that widespread disapproval could still defeat the proposal to treat the incident as a white hat hacking incident worthy of a bug bounty.
In a nutshell: A hacker who stole cryptocurrency says they should walk away with the majority of the loot and put that plan up for a vote to the people from whom they stole, using votes tied to the stolen cryptocurrency to vote yes.
"Seriously though, wtf is wrong with our industry?" tweeted Alex Valaitis, a web3 consultant.
Mango Markets Reacts
Mango Markets is a trading platform riding on the Solana blockchain. The platform halted operations to cease all deposits and withdrawals to limit the impact of the attack, Mango Markets says. "This incident has effectively resulted in a total draining of all equity available," it says.
The value of the $MNGO token plunged 33% day-on-day at the time of publication.
"To everyone worried about their deposits on Mango: I will do everything in my power to recover your funds," tweeted Mango Labs CEO Daffy Durairaj.
Mango is investigating the hack and appealed to the attacker to discuss a "bug bounty," even as it takes steps to have third parties freeze funds that are traceable to the hack.
"We believe the most constructive way to approach this is to continue communicating with those responsible for the incident and in control of the funds removed from the protocol to attempt to resolve the issues amicably," Mango tweeted.
The attacker manipulated the price oracle data of the MNGO token to take out "massive" under-collateralized crypto loans from the Mango treasury, says blockchain security firm OtterSec, which identified the attack.
An oracle is a tool that feeds relevant off-chain data to the blockchain for smart contracts to use. A price oracle shows the price information for a digital asset. "Neither oracle providers have any fault here. The oracle price reporting worked as it should have," the company says.
The vulnerability stemmed from the thin liquidity on the exchange market between MNGO and the USDC stablecoin, which was used as the price reference for a MNGO perpetual swap.
"With only a few million USDC at their disposal, the attacker was able to pump the price of MNGO by 2,394%," blockchain security firm CertiK tells Information Security Media Group.
The attacker used two addresses to manipulate the price of MNGO from $0.038 to a peak of $0.91, which allowed them to borrow heavily against their MNGO token collateral, CertiK says.
Mango Markets explains the technical details of the attack in a series of tweets:
Around 22:00 UTC October 11th the protocol had an incident involving the following:— Mango (@mangomarkets) October 12, 2022
-2 accounts funded with USDC took an outsized position in MNGO-PERP
-Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes
It appears that the vulnerability was disclosed on Mango's Discord channel in March but the company did not confirm the claim.
Hacker Proposes 'Bounty'
The hacker put forth their proposal on the decentralized autonomous organization governing Mango Markets that would give the attacker a $70 million bounty.
The Mango DAO governs Mango Markets and gives MNGO token holders the power to make decisions about the platform's functions.
The hacker proposed sending back cryptocurrency worth about $50 million if Mango Markets uses the $70 million USDC in its treasury to clear bad debt on its protocol and also pay back all users without bad debt.
The attacker added that the decentralized finance company shouldn't initiate a criminal investigation or freeze the hacker's funds if the proposal passes.
The attacker used their stolen Mango tokens to vote yes on the proposal. The voting will conclude on Saturday at 1:12 a.m. UTC.