In the second $100 million DeFi hack this week, Mango Markets was drained of $100 million in funds due to an exploit. Mango Markets tweeted Tuesday evening that a hacker was able to empty funds from Mango via an oracle price manipulation.
Only last Thursday,$100 million was stolen from the Binance Smart Chain, another DeFi protocol.
According to the blockchain auditing website OtterSec, the attacker temporarily drove up the value of their collateral and then took out loans from the Mango treasury.
Mango Markets is a Solana-based platform for trading digital assets on the Solana blockchain for spot margin and trading perpetual futures. Mango Markets is governed by Mango DAO.
"It's an economic design flaw," OtterSec founder Robert Chen told Decrypt via Telegram, adding that it's a risk that Mango Markets had already acknowledged.
"At 6:19 PM ET, an attacker funded account A with 5mm USDC collateral," the Head of Derivatives at Genesis Global Trading, Joshua Lim, tweeted.
As Lim explained, the attacker subsequently offered out 483 million units of MNGO perps (perpetual contracts) on the Mango Markets order book. Then at 6:24 PM ET, the attacker funded another account with 5 million USDC collateral to buy those 483 million units of MNGO perps for $0.03 per unit.
At 6:26 PM ET, the attacker started moving the Mango spot market price, driving the price to $0.91 and the value of the 483 million MNGO to $423 million.
The attacker then took out a $116 million loan, leaving Mango's treasury with a negative balance of -116.7 million. Assets drained include USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO, wiping out all of Mango's liquidity.
In response, Mango Markets says it has disabled deposits and is taking steps to have third-party funds frozen.
A Twitter user noted that the attacker was funded 5.5M from FTX, prompting FTX CEO Sam Bankman-Fried to respond that the company is investigating.
Mango Markets has offered the attacker the chance to collect a bug bounty in exchange for returning the stolen funds.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
