Solana-Based Defi Protocol Mango Markets Loses $117 Million in Hack, Exploit Allegedly Revealed in Project’s Discord in March

Bitcoin News

According to various reports, the Solana-based trading and lending platform Mango Markets was hacked as a malicious actor was able to siphon $117 million from the protocol. An analysis of the hack published by Certik explains that the attacker manipulated the price of the project’s native token mango (MNGO) which allowed them to borrow $117 million against the exploited collateral.

Mango Markets Hacked for $117 Million, Blockchain Security Firm Summarizes the Attack Vector

On Tuesday, the Solana-based Mango Markets platform was hacked for $117 million. The team tweeted about the issue at 7:36 p.m. (ET) on October 11. “We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation,” the Mango Market’s Twitter account detailed. “We are taking steps to have third parties freeze funds in flight. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.”

The blockchain security and auditing firm Certik summarized the Mango Market hack in a post mortem and the team explained that the hacker was able to manipulate the token mango (MNGO). “The attacker used two addresses to manipulate the price of MNGO – Mango’s native token and collateral asset – from $0.038 to a peak of $0.91,” Certik explained in a note sent to Bitcoin.com News. “This allowed them to borrow heavily against their $MNGO collateral, which they did so to the tune of approximately $117 million, though this figure is fluctuating due to the prices of affected tokens reacting to the news.”

According to the blockchain security firm Hacken, the hacker started with roughly $5 million in USDC to accomplish the goals. The official Mango Market Twitter account confirmed that two accounts funded with USDC took out a massive long position in “MNGO-PERP.” “Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes,” Mango said. Mango further added that no oracle providers were at fault for the incident. The team stressed:

We want to clarify and add mention here that neither oracle providers have any fault here. The oracle price reporting worked as it should have.

Meanwhile, the blockchain security and auditing firm Certik has disclosed that the attack vector was allegedly known as early as March 2022. “The vulnerability here stemmed from the thin liquidity on the MNGO/USDC market, which was used as the price reference for the MNGO perpetual swap,” Certik’s summary adds. “With only a few million USDC at their disposal, the attacker was able to pump the price of MNGO by 2,394%. This exact attack vector was apparently raised in Mango’s Discord channel back in March of this year,” the Certik post-mortem concludes.

Tags in this story
$117 million, attack vector, certik, Certik post mortem, Certik Researchers, Hack, Hacken, incident, incident report, Mango, Mango Markets, Mango’s Discord channel, MNGO/USDC, oracle prices, Oracles, post mortem, Solana, Solana Lending App, Solana Trading app, Twitter, twitter account

What do you think about the Mango Markets exploit? Let us know what you think about this subject in the comments section below.

Jamie Redman

Jamie Redman is the News Lead at Bitcoin.com News and a financial tech journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open-source code, and decentralized applications. Since September 2015, Redman has written more than 6,000 articles for Bitcoin.com News about the disruptive protocols emerging today.




Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

Read disclaimer