$100M drained from Solana DeFi platform Mango Markets, token plunges 52%

Published at:
Defi
Hacks
Hackers
Decentralized Exchange
Loans

Solana (SOL) based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.

The exploit was first identified by blockchain security firm OtterSec which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of their Mango (MNGO) native token collateral, then taking out “massive loans” from Mango’s treasury.

It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ

— OtterSec (@osec_io) October 11, 2022

The Mango Markets team tweeted soon after warning users not to deposit funds until “the situation was more clear” and asked the attacker to contact them to discuss a bug bounty.

The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits whilst it continued investigations of the incident.

We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves. If you have any information, please contact blockworks@protonmail.com to discuss a bounty for the return of funds. 2/

— Mango (@mangomarkets) October 11, 2022

Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24-hours at the time of writing according to data from CoinGecko.

Related: TempleDAO exploit results in $2M loss

The exploiters' account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of SOL.

Over $14.7 million worth of MNGO was withdrawn and Mango said it’s “taking steps to have third parties freeze funds in flight.”

Meanwhile, the QANplatform blockchain also suffered from an exploit of its ownon Oct. 11, with its Ethereum (ETH) bridge drained of around $1.89 million worth of its native QANX token according to blockchain security company Beosin. QANplatform says it’s investigating the incident.

Related Posts
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit   March 9, 2021
Transaction batching protocol Furucombo suffers $14 million “evil contract” hack   Feb. 27, 2021
The aftermath of Axie Infinity’s $650M Ronin Bridge hack   April 12, 2022
Mango Markets exploiter said actions were ‘legal,’ but was it?   Oct. 18, 2022
Yield platform Stablegains sued for promoting UST: Finance Redefined   Feb. 24, 2023