Decentralized finance (DeFi) trading platform Mango Markets was recently exploited with hackers draining the platform of over $110 million worth of crypto. According to a tweet by Mango's official Twitter account, it seems that "oracle price manipulation" was the method used to attack the Solana-based DeFi platform.
Another thread on Twitter broke down how the attack went. The attackers started by depositing $5m worth of USDC to an account on the platform. The funds were then used to offer 483 million units of the platform's native Mango (MNGO) token in the form of perps (perpetual contracts).
Next, the attacker funded another account with $5 million of USDC to buy the 483 units of MNGO perpetual contracts. The attacker used this method to spike the price of MNGO from $0.03 to $0.91, making their MNGO perps worth $423 million.
The money was then used to take out a loan of $116m using multiple tokens on the platform, including Bitcoin, Solana, and Serum. Unfortunately, the loan wiped out all of the liquidity in Mango Markets, causing the price of MNGO to crash to $0.02.
Mango Market's development team confirmed that they are looking into what happened and have opened an investigation into it. The protocol announced via its various social media channels that it has blocked deposits while they investigate further. The team also told users not to deposit funds into the platform before they blocked deposits.
Price manipulation was the method used to take out large perpetual contracts to push the price of MNGO over 45x in such as short time frame. This works by an attacker taking advantage of low liquidity to artificially boost a token's price. It is the same method used in pump and dump schemes; find a token with low liquidity, place large buy orders to drive up the price, and then use new investors as exit liquidity to cash out.
However, this attack method is hard to pull off when there is a very high amount of liquidity since it would take a lot more capital to manipulate the price. This is why pump-and-dump schemes are more popular with new or fairly unknown tokens since they usually have very low liquidity.
If they had sufficient liquidity, Mango Markets could have avoided this attack. One way that Mango Markets could have increased their liquidity is through the use of an automated market maker (AMM). Automated market makers are systems that gather liquidity from users and use algorithms to determine a token's price.
AMMs work by large token holders known as liquidity providers (LPs), adding tokens pairs (i.e., MNGO/USDC) into pools in equal amounts. This enables decentralized exchanges to outsource their liquidity while compensating the LPs with a cut of the trading fees earned on the platform.
According to Ben Roth, Co-founder and CIO of Auros, having a sophisticated market maker can act as a clear deterrent for adverse trading behaviour during all market conditions. By working with a firm that is able to algorithmically provide deep, consistent liquidity, projects ensure that ‘bad actors’ are left with an increased level of uncertainty that their price manipulation strategy will be successful.
A day after the attack on Mango Markets, the attacker used the platform's decentralized autonomous organization (DAO) to make a proposal. The attacker proposed that the Mango DAO use its $70 million community treasury to reimburse any bad debts.
If the proposal is approved, the Mango DAO team will utilize the cash from their treasury to compensate for any unpaid debts. Afterward, the hacker would transmit the stolen tokens to an address supplied by the team behind the Mango DAO.
In another act of manipulation, the hacker seemed to support this proposition by voting with millions of tokens stolen via the attack. Nevertheless, the quorum requirements for passing the proposal have not been met, so the proposal may not be accepted.
The attacker also requested that no criminal proceedings be pursued should the proposal go through.
Mango Markets was attacked using price manipulation to spike the price of its native token and then take out massive loans in various other tokens on the platform. The attacker then demanded that the Mango DAO reimburse any bad debts using their treasury funds in return for the stolen liquidity.