In yet another DeFi exploit attack, a hacker has helped themselves to US$100 million worth of tokens from the Mango Markets platform. This latest massive theft, resulting from deliberate manipulation of price mechanisms, again raises questions about the viability of DeFi (or “decentralized finance”) among serious investors, and over what action could be taken to recover funds.
Mango Markets lives on the Solana blockchain, which unfortunately was not experiencing one of its frequent downtimes at the time of the hack. The attack reportedly stemmed from a complicated manipulation of one of Mango’s price oracles (an external data source trusted to provide market information). This set off a chain reaction on other trading and pricing mechanisms that resulted in the hacker “borrowing,” and then withdrawing, amounts in BTC (sollet), USDT, SOL, mSOL and USDC from the Mango Protocol.
Around 22:00 UTC October 11th the 🥭 protocol had an incident involving the following:
-2 accounts funded with USDC took an outsized position in MNGO-PERP
-Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes
— Mango (@mangomarkets) October 12, 2022
Mango then froze all transaction on the network to prevent further losses. The platform had only a total US$190 million in deposits available, meaning over half that amount was lost. “This incident has effectively resulted in a total draining of all equity available,” operators said, warning that funds may not be recoverable.
They clarified that fault did not lie with the oracle providers, and that oracle price reporting worked as it should have. The incident began when two accounts funded with USDC took an unusually large position in MNGO-PERP, causing a ripple effect on prices on other exchanges.
The situation took a bizarre turn a few hours later, when the hacker reportedly popped up on a Realms message board with a proposal to return mSOL, SOL and MNGO tokens—supplemented by funds from Mango’s treasury and insurance fund—to make any debtors whole. Another condition was that voting token holders “will not pursue any criminal investigations or freezing of funds once the tokens are sent back.”
According to one researcher, the hacker then used 32 million tokens to vote on the proposal, voting Yes. 67 million more Yes votes would be required over the next two days to pass the proposal.
So just to recap the @mangomarkets situation:
-Hacker exploits Mango for $100M+
-Hacker turns around & offers to return most funds, if DAO promises not to pursue criminal investigations
-Hackers uses 32M votes from the exploit to vote 'Yes'
LMFAO you cannot make this shit up! pic.twitter.com/LsdafMS7vQ
— Alex Valaitis (@alex_valaitis) October 12, 2022
Mango Markets operators appeared to confirm this claim by posting “The parties involved with this incident have communicated on the Mango DAO indicating a willingness to negotiate.”
We believe the most constructive way to approach this is to continue communicating with those responsible for the incident and in control of the funds removed from the protocol to attempt to resolve the issues amicably.
— Mango (@mangomarkets) October 12, 2022
This ought to raise eyebrows at the nature of stake voting systems, particularly in proof-of-stake (PoS) blockchain protocols. It is far more difficult to track ownership and/or control of voting shares in a PoS system. Whether the proposal succeeds or not or could be legally binding or not (most likely not on the latter) the situation is a basic demonstration of how staking votes can be manipulated.
Proof-of-work (PoW) transaction verification systems such as Bitcoin‘s offer far more security, since they require large and visible physical hardware facilities whose owners can be identified.
The Bitcoin Association for BSV, which is the guardian of the BSV protocol, has released new mining software that would allow stolen assets themselves to be frozen. The Blacklist Manager would broadcast a message to transaction processors (miners) alerting them to target the UTXOs in question. Action would only be taken in the event of a digitally-notarized court order.
Along with Blacklist Manager, the Notary Toolset will be a means to quickly translate a court order into a machine-readable format, which can then be transmitted to the transaction processor network.
While coin/UTXO “blacklisting” has long been controversial in Bitcoin and the wider blockchain industry, users are also weary of existing at the mercy of bad actors who always seem able to find loopholes in contract code, services, or other mechanisms to make off with their money. The Mango Markets hack, and subsequent negotiation “offer” from the attacker, is one example of this.
Blockchain’s old “not your keys, not your coins” cliche dies a little more each time an incident like this occurs, as trading systems become more complex—and hackers find new avenues to exploit, not in blockchain protocols themselves, but the popular third-party services that run on them.
Watch: Digital Asset Recovery on Bitcoin Explained
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.