Following the BNB Chain $100M Valued Cross-Chain Bridge Hack, another $100 million attack shakes the crypto world as Solana DeFi platform ‘mango markets’ gets drained of over $100 million, causing its price to plummet further than 52%.
The platform’s treasury was hit on the 11th of October with a reported exploit of over $100 million worth of cryptocurrencies by an attacker that rigged the price data of its native coin to take out huge under-collateralized cryptocurrency loans against their holdings.
Blockchain security firm OtterSec was the first to identify the attack. According to OtterSec, the attacker manipulated the value of the exchange’s collateral and then took out massive loans from its treasury. The value of Mango’s currency MNGO spiked up and then plummeted to less than 52% of its original value.
The Mango Markets team first responded to the attack by warning users not to deposit funds until the situation was more clear. They also tried to negotiate with the attacker through a tweet which said:
“We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.”
“If you have any information, please contact firstname.lastname@example.org to discuss a bounty for the return of funds.”
The team later confirmed the manipulation of a price oracle and stated that it had disabled deposits while it continued investigations of the incident and has taken steps to have third-party funds frozen.
The former head of derivatives at Genesis Global Trading, Joshua Lim gave a detailed description of what possibly went down:
At 6:19 PM, an attacker funded account A with 5mm USDC collateral, the attacker then offered 483 million units of MNGO perpetual contracts on the mango markets order book.
At 6:24 PM, another account was funded with 5 million USDC collateral to buy the MNGO perpetual contracts for $0.03 for each MNGO. Afterwards at 6:26, the attacker drove the price of MNGO to $0.91 and the value of the 483 million MNGO to $423 million.
At 6:26 PM ET, the attacker started moving the Mango spot market price, driving the price to $0.91 and the value of the 483 million MNGO to $423 million.
Finally, the attacker took a $116 million loan, wiping out all of Mango’s liquidity.
The attacker’s account had three major withdrawals: $50 million worth of USDC, over $26.7 million worth of mSOL, nearly $24 million worth of Solana’s SOL, and $14.7 million worth of MNGO.