DeFi Platform on Solana Loses $100 Million After Exploit
Mango Markets was drained of $100 million due to an exploit. This is the second DeFi hack on this scale in recent weeks.
Mango Markets, a Solana-based digital asset trading platform, announced on Twitter that a hacker was able to drain funds from the company through price manipulation using a blockchain oracle. Last Thursday, $100 million were stolen from the Binance Smart Chain.
Around 22:00 UTC October 11th the 🥭 protocol had an incident involving the following:
-2 accounts funded with USDC took an outsized position in MNGO-PERP
-Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes
— Mango (@mangomarkets) October 12, 2022
The exploiter temporarily increased the value of his collateral and then borrowed from Mango’s vault, according to a blockchain auditing website.
A Twitter user noted that the attacker was funded by FTX, prompting the company’s CEO, Sam Bankman-Freed, to respond that an investigation was underway.
How did it happen?
At 6:19 p.m. ET, the attacker funded an account with $5 million USDC in collateral. He subsequently tendered 483 million units of perpetual contracts on MNGO into the Mango Markets order book. Then, at 6:24 p.m. ET, the attacker funded another account with 5 million USDC of collateral to buy those 483 million units of perpetual contracts on MNGO for $0.03 per unit.
At 6:26 p.m. ET, the attacker begins to move the spot price of the Mango Market, driving it up to $0.9 and the value of the 483 million units of MNGO to about $423 million, respectively. He then takes out a $116 million loan, leaving Mango’s vault with a negative balance of -$116.7 million. The withdrawn assets include USDC, MSOL, SOL, BTC, USDT, SRM and MNGO, wiping out all of Mango’s liquidity.