$100M drained from Solana DeFi platform Mango Markets, token plunges 52%

Published at: Oct. 12, 2022

Solana (SOL) based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.

The exploit was first identified by blockchain security firm OtterSec which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of their Mango (MNGO) native token collateral, then taking out “massive loans” from Mango’s treasury.

It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ

— OtterSec (@osec_io) October 11, 2022

The Mango Markets team tweeted soon after warning users not to deposit funds until “the situation was more clear” and asked the attacker to contact them to discuss a bug bounty.

The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits whilst it continued investigations of the incident.

We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves. If you have any information, please contact [email protected] to discuss a bounty for the return of funds. 2/

— Mango (@mangomarkets) October 11, 2022

Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24-hours at the time of writing according to data from CoinGecko.

Related: TempleDAO exploit results in $2M loss

The exploiters' account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of SOL.

Over $14.7 million worth of MNGO was withdrawn and Mango said it’s “taking steps to have third parties freeze funds in flight.”

Meanwhile, the QANplatform blockchain also suffered from an exploit of its ownon Oct. 11, with its Ethereum (ETH) bridge drained of around $1.89 million worth of its native QANX token according to blockchain security company Beosin. QANplatform says it’s investigating the incident.

Tags
Related Posts
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit
Decentralized finance transaction combination tool Furucombo will compensate the victims of a recent “evil contract” exploit that cost the protocol $15 million in stolen funds. Following an internal call with affected users last week, Furucombo released a compensation plan Tuesday, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool. Out of a total of 100 million COMBO tokens, 5 million coins have been allocated to the recovery pool, and are subject to …
Technology / March 9, 2021
Transaction batching protocol Furucombo suffers $14 million “evil contract” hack
The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds. Furucombo, a tool designed to help users “batch” transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC, which centered on token approvals from users. The attacker’s address currently has $14 million worth of various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour. This attack is conceptually similar to the $20 million “evil jar” attack that struck …
Ethereum / Feb. 27, 2021
The aftermath of Axie Infinity’s $650M Ronin Bridge hack
In late March, Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million. The breach on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game: There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP — Ronin (@Ronin_Network) March 29, 2022 The official report from the company noted that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator …
Blockchain / April 12, 2022
Mango Markets exploiter said actions were ‘legal,’ but was it?
The $117 million Mango Markets exploiter has defended that their actions were ‘legal,’ but a lawyer suggests that they could still face consequences. Self-described digital art dealer Avraham Eisenberg, outed himself as the exploiter in a series of tweets on Oct. 15 claiming he and a team undertook a “highly profitable trading strategy” and that it was “legal open market actions, using the protocol as designed.” I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they …
Defi / Oct. 18, 2022
Yield platform Stablegains sued for promoting UST: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. The backlash from the Terra implosion still haunts the crypto world, with the now-shuttered stablecoin yield platform Stablegains being sued for customer losses. The plaintiffs allege that the platform funnelled customer funds into Anchor Protocol without users’ knowledge or consent. Platypus, the DeFi protocol that was exploited for over $8 million, is working on a compensation plan to recover some of the funds. Florida’s Cogent Bank is proposing a $100 million participation in loans …
Regulation / Feb. 24, 2023