10/12/2022: A Highly Profitable Trading Strategy
Liquidity was drained on Mango Market on Solana. $100M+ lost
Another week, another huge crypto hack. This time $115M is lost. Technically speaking, it’s not really a hack. The hacker is playing by the rules and turned $5M into $100M+. This hack happened because there are some critical design flaws for Mango Markets. Someone actually brought up the vulnerability about 6 months ago but the Mango team didn’t do anything about it. I have difficulty seeing the Mango team bouncing back from this incident as their recklessness is to blame for this unfortunate outcome.
In summary, the hacker deposited ~$5M of USDC into Mango and took a huge MNGO-PERP long position. After that, he was able to manipulate MNGO token’s price from $0.03 to $0.91 as MNGO is a thinly traded low liquidity s**tcoin, resulting in a huge ~$400M+ unrealized capital gain. He then borrowed $115M against this unrealized capital gain, effectively draining all liquidity out of Mango.
After the hacker withdrew all the tokens out of Mango, he submitted the following proposal to Mango Dao, titled Repay bad debt.
hi all, the mango treasury has about 70M USDC available to repay bad debt.
I propose the following. If this proposal passes, I will send the MSOL, SOL, and MNGO in this account to an address announced by the mango team. The mango treasury will be used to cover any remaining bad debt in the protocol, and all users without bad debt will be made whole. Any bad debt will be viewed as a bug bounty / insurance, paid out of the mango insurance fund. By voting for this proposal, mango token holders agree to pay this bounty and pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above.
WOW! That’s some bold proposal. The hacker is not admitting any wrongdoing and is seeing this as a bug bounty. It’s a bit weird but after thinking it through, I actually agree with his assessment. Sure, the $50M+ bounty is a bit excessive. But Mango has two critical design flaws that enable this hack. First, They allow uncapped borrowing against unrealized gains on thinly traded and easily price manipulated s**tcoins. Second, they allow cross collaterals. The combination of the two makes it a recipe for disaster. It’s basically begging for North Korea hackers to fake some gains and drain all liquidity out by borrowing against the fake gains. Mango should feel lucky they are attacked by an independent hacker and have some hope to get the money back.
The hacker was later doxxed as he actually deposited the USDC from FTX and later also manipulated the MNGO price on FTX. Thanks to the KYC law, all the customers on FTX have to go through the identity verification process. As mentioned above, I don’t know if he actually broke the law. He did what Mango allows their users to do. Maybe this is why he is funding his wallet through FTX as he doesn’t think what he is doing is a hack. Mango’s terrible design flaws are to blame here. I hope they work out a solution so that the hacker earns a decent bug bounty and all the mango users are made whole.
I can’t believe these crazy hacks keep happening in crypto but here is our $100M+ hack of the week. I hope we don’t see another one in the next few days!!
Update 10/14/2022: A new DAO proposal proposed by the Mango team is up and is being approved. It looks like the depositors will be made whole. The bug bounty is an insanely high ~$50M though.
Update 10/15/2022: The hacker has spoken, charactering the Mango incident as a highly profitable trading strategy.