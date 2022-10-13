By CNBCTV18.com

On October 12, hours after plundering $117 million from DeFi trading protocol, Mango Markets, the hacker behind the exploit placed steep settlement demands on the platform's governance forum.

The hacker proposed liquidating the Mango DAO treasury to repay $70 million of bad debts within the protocol. In addition, the hacker has also asked the DAO to waive any potential claims against accounts with bad debt and not to pursue criminal investigations into the hack or freeze the stolen funds.

"If this proposal passes, I will send the MSOL, SOL, and MNGO in this account to an address announced by the mango team. The Mango Treasury will be used to cover any remaining bad debt in the protocol, and all users without bad debt will be made whole," the hacker's proposal read.

To add insult to injury, the hacker used MNGO tokens acquired from the exploit to cast nearly 33 million votes in favour of the proposal. An additional 66.7 million 'yes' votes are required for the proposal to be passed, and with polling set to end on Friday, the chances of approval seem slim. However, if enough users vote ‘yes’, the hacker will walk away with roughly $70 million of the $143 million that the Mango DAO has in its coffers.

Of course, the proposal was met with an overwhelmingly negative sentiment. Users on the Mango DAO posted several comments calling out the hacker and his/her actions. "You're disgusting. What you did is wrong in every way possible. The responsible thing to do would have been to disclose the vulnerability to the team, NOT EXPLOIT IT. I hope the law enforcement community shows you ZERO MERCY," said one user.

The hack

In the early hours of October 12, Mango Markets, a Solana DeFi protocol, lost over $117 million to a price feed attack. The hacker was able to drain funds from the platform after manipulating oracle price data and taking out under-collateralised crypto loans. Oracles connect blockchains to external systems, allowing smart contracts to execute transactions based on inputs and outputs from real world data.

Blockchain security firm OtterSec discovered the exploit and took to Twitter to provide further details. According to the security firm, attackers managed to temporarily pump the value of their collateral and then took out loans from the Mango treasury.

"It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value and then took out massive loans from the Mango treasury," the security firm said in a tweet.

Here's a short rundown of events based on tweets from Joshua Lim, the Head of Derivatives at Genesis Global Trading. The attack began at 3:49am IST on October 12 when the attacker "funded account A with 5 million USDC collateral." After this, the attacker "offered out 483 million units of MNGO perps (perpetual contracts) on the Mango Markets order book."

Then the attacker funded account B with another 5 million USDC, which was used to purchase the 483 million units of MNGO perps for $0.03 per unit. To complete the attack, the hacker "started moving the Mango spot market price, driving the price to $0.91 and the value of the 483 million MNGO

Finally, the attacker took out a loan worth $116 million, leaving Mango's treasury with a negative balance of the same amount and wiping out all of the platform's liquidity. The stolen assets include $50 million worth of USDC, $24 million worth of SOL, $26 million worth of MSOL and smaller amounts of BTC, USDT, SRM, and MNGO.

Another Twitter user pointed out that the 5.5 million USDC used as collateral was obtained from FTX. In response, Sam Bankman-Fried, FTX CEO and co-founder, confirmed the transaction and said that FTX would be "investigating and will take any appropriate action/etc."

In a conversation with Decrypt, Robert Chen, the founder of OtterSec, described the attack as "an economic design flaw". He also stated that Mango Markets was aware of such a risk to the platform. The attack caused MANGO, the platform's native cryptocurrency, to nosedive 52 percent, falling from $0.0390 before the attack to $0.0174 a couple of hours later.

The Mango Markets platform has disabled deposits and is in the process of having third-party funds frozen. The platform is also trying to get the attacker to return the stolen funds in exchange for a bug bounty reward.

This is the second $100 million attack this week. A few days ago, Binance Smart Chain, another DeFi protocol, lost nearly $100 million after hackers were able to mint and transfer 2 million BNB tokens to an address they controlled.

And a few hours before the Mango Markets exploit, the QANplatform blockchain also suffered a bridge exploit of over $1 million. QAN touts itself as a super secure platform resistant to attacks aided by quantum computing power. However, that did not protect it from the theft of 1.4 billion QANX tokens, worth little over a million dollars. As such, this has been a pretty disappointing week for crypto markets, with three hacks resulting in more than $200 million in losses.

