These exploits are getting less and less fun to write about. I like to write about these as these are the only interesting things going on in Crypto right now which is quite sad. How the mighty ponzis have fallen from a year ago.
Anyways this post is about the Mango Markets "hack". I don't think what happened to Mango Markets is a hack. Here's why.
Here's what the supposed "Hacker" did.
- Mango Token (MNGO) is the token for Mango Markets and has awfully low liquidity due to current bear market conditions
- Hackerman funded address A with $5m and placed a 480m MNGO ask order at $0.0382
- Hackerman funded address B with $5m and and bought the 480m MNGO from the other account
- Then they apparently played around with the prices of MNGO on centralised exchanges where it is thinly traded and pumped it
- The Oracle that is used to report the prices on the Mango Market reported the prices on centralised exchanges and apparently this led to the Hackerman having an unrealized gain of $400m.
- The Hackerman used this unrealised gain to borrow $115m of tokens across USDC, MSOL, SOL, BTC, USDT, SRM and MNGO
- The MNGO price returned back to normal and this wiped out all the liquidity on MNGO protocol and effectively wiped it clean with bad debt.
- Now the Hackerman has $115m in his wallet and won
Now, this type of exploit isn't anything new or groundbreaking. This type of oracle manipulation with illiquid tokens have been done before. Here's an example that light shared.
In fact, someone had notified the team of this in the discord months ago and nothing was done.
Hmmm. really makes you think...
I would make a sarcastic joke about North Korea successfully exploiting yet another DeFi Protocol but the exploiter did something I have been thinking about for a while (which is very un-northkorean like)
The exploiter submitted a proposal on the Mango DAO forum to ask the Mango Protocol to use $70m from treasury to repay part of the bad debt saying that he would return $50m as well. But they would have to promise that they wouldn't pursue criminal action if the DAO agrees to the proposal.
Then he voted on the proposal using his 30m MNGO tokens that he got from the exploit.
I wonder what happens in this situation. Will the criminal investigations continue? Will this proposal actually in practice? Is code law? Will the DAO stop functioning as a DAO and just go after the guy? Will the hackerman get to keep his $50m and live life as a diplomat of a Caribbean nation or will he get caught by the FBI and sent to prison?
Guess we will find out.
Also I wonder if the $50m USDC has been frozen by circle since the hackerman mentions in his proposal that he would only return the funds if it was pinkie promised that it wouldn't be frozen. I would check the chain but I can barely read the Sol blockchain explorers so I will leave that to the Caroline's gang to find out.
Wonder how much Sam lost during the hack. Surely they lost a bunch. Who else had money in a Solana lending protocol??