Solana-based trading platform Mango Markets has lost around $116 million in cryptocurrency after a hacker is believed to have undertaken a “flash loan” attack.
A flash loan attack is a decentralized finance attack where a cybercriminal takes out a flash loan — a noncollateralized loan from a lending protocol — and then manipulates the price of a crypto asset on one exchange to sell it quickly on another. Mango Markets, run by the Blockworks Foundation, offers a decentralized exchange for trading cryptocurrency, with trades executed on the Solana blockchain.
In the case of Mango Markets, the hacker used two accounts to raise the price of Mango coin, the token used in trading on the platform, artificially. That allowed them to manipulate their collateral on the platform to obtain loans from Mango’s treasury.
The price was manipulated through the hacker taking out a futures position, an agreement to buy tokens at a future date and price at an inflated price. According to Tech Monitor today, the price of MNGO shot up by around 1,000% in minutes, elevating the collateral value of the hacker’s account, which was then drawn upon, draining Mango Markets in the process.
There is some dispute, however, as to whether this constitutes a flash loan attack, as OtterSec claims on Twitter that the scheme involved broader price manipulation.
At a high level,
1. This was not a flashloan attack
2. The attacker addresses were funded 5.5M via FTX
3. It appears the attacker manipulated prices across all exchanges, not just Solana oracles pic.twitter.com/mQnjCTvPZi
— OtterSec (@osec_io) October 12, 2022
At this point in an attack on a cryptocurrency exchange, several things typically happen, such as the exchange trying to contact those behind the theft to negotiate a settlement. But this wasn’t the case with Mango Markets, which is a decentralized exchange governed by a decentralized autonomous organization consisting of those holding MNGO. The hacker holds MNGO and voted for their own solution for returning the stolen funds.
The person claiming to be the hacker told the DAO that they are willing to return the stolen cryptocurrency if the community agrees to repay a bad debt from June that was used to save another Solana project called Solend.
On promising to return stolen funds to a designated address, the hacker demanded that “the Mango treasury will be used to cover any remaining bad debt in the protocol and all users without bad debt will be made whole.”
“By voting for this proposal, Mango token holders agree to pay this bounty and pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt and will not pursue any criminal investigations or freezing of funds once the tokens are sent back,” the hacker wrote.
Since the DAO is a democracy, the hacker cast 33 million votes in favor of the proposal, according to Decrypt, giving the proposal an approval rating of 99.9%. Voting is not yet closed, however, with a further 67 million yes votes required by Friday to make the result official.
The attack on Mango Markets is not the first in the DeFi industry. In April, a flash loan attack on Beanstalk Farms resulted in the theft of $182 million in cryptocurrency.