Decentralized blockchain finance platform Solana Mango Markets suffered a massive hack of its funds overnight. The damage from this massive attack could be as high as $116 million.
Decentralized finance remains a particularly sensitive, even vulnerable, target for cybercriminals. This is the second $100 million-plus hack to hit DeFi this week. A few days after the BNB Chain, it was the turn of Solana (SOL) and the Mango Markets platform to suffer an attack.
As a reminder, Mango is a DeFi platform of the Solana network. It is an ED offering a trading platform for spot markets, perpetual futures as well as loans by sourcing liquidity from its own pool alongside Serum. It has its own crypto-currency token, MNGO.
Mango ‘s token dropped by more than 40%
Specifically, the hacker reportedly started by depositing 5 million USDC into two different accounts. To begin with, he used his first account to open a 483 million MNGO downside bet position on the MNGO/USDC perpetual contract at a price of $0.03 per unit.
Then, he used his second account to buy that position himself by opening an up bet, causing the price of the token to jump nearly 1,000% in less than an hour. Finally, the hacker applied this strategy several times to manipulate the price of MNGO, allowing him to reach up to $0.54 per unit on different exchanges such as Ascendex or FTX.
The damage to the service is estimated at 114 million dollars.
Since the hack was made official, the price of MNGO has fallen by more than 40%. Mango e explained on Twitter:
We are currently investigating an incident in which a hacker was able to drain funds from Mango via oracle price manipulation. We are taking steps to have third parties freeze the leaked funds.
Interestingly, the attacker seems to be willing to “negotiate“, but in exchange for a considerable reward. He has tabled a proposal to token holders in a governance vote.
The thief says he will return the stolen tokens. In return, Mango Markets must use its $70 million USDC cash balance to repay the lending users. This would leave the hacker with an estimated balance of $70 million.
In addition, the platform must agree not to launch any lawsuits against the attacker or freeze the tokens. While hackers sometimes receive bug bounty rewards, the one demanded seems exorbitant and is more like a ransom demand.