Crypto Attack Takes $100 Million From DeFi Service Mango
(Bloomberg) — An attacker siphoned off about $100 million from decentralized finance provider Mango by manipulating the price of the token in an exploit that wiped out depositors on the crypto platform.
Most read from Bloomberg
The robbery began with two accounts funded with the stablecoin USD Coin, the platform said Wednesday on Twitter. The accounts took large positions in Mango perpetual futures, causing the price of the Mango token to increase.
The price jump created an unrealized profit from futures. The attacker used it to borrow and withdraw roughly $100 million net from the protocol in a variety of tokens — leaving depositors with nothing, according to Mango.
“This incident has effectively resulted in a total drain of all available equity,” the platform said on Twitter, adding that the attackers are communicating with Mango and “indicating a willingness to negotiate.”
The exploit, which follows a wave of multimillion-dollar hacks of DeFi protocols in recent months, sheds light on some of the security weaknesses of decentralized exchanges. In the case of so-called DEXs, the software essentially makes it possible for crypto traders to trade directly with each other without an intermediary.
This differs from centralized exchanges – CEXs in industry jargon – which are run by a central entity that has custody of user funds.
“Despite their potential, DEXs are still immature in terms of development and come with their own set of security risks,” said Hirander Misra, CEO of GMEX Group. “There are over a hundred public blockchains, each with their own ways of doing things, which means no effective agreed standards and given their decentralized nature, no regulation and investor protection.”
The Mango incident is “a price manipulation attack” that took advantage of the opportunity to leverage positions on the platform, according to BlockSec, a company specializing in crypto security.
The perpetrator has posted a proposal on Mango’s governance page that appears to increase the possibility of returning some of the money in exchange for a bounty. Other conditions include using the service’s treasury to pay off bad debts and not pursuing criminal investigations or freezing funds.
Pump and dump
Mango, which operates on the Solana blockchain, is a decentralized crypto exchange that offers users the ability to make spot trades and loans.
It disabled deposits and said it believes the most constructive thing to do is to communicate with those responsible in an “attempt to resolve the issues amicably.”
Data from tracker CoinGecko shows that over the past 24 hours, the price of the Mango token has at one point shot up to around 9 US cents from 4 US cents before dropping to around 2 US cents.
Around $2 billion has been lost in crypto-security incidents this year, many committed by North Korea-linked groups, according to blockchain analytics firm Chainalysis.
Just last week, 2 million Binance coins – equivalent to nearly $570 million – were effectively minted and taken by a hacker. About $100 million was not recovered, while the rest was frozen, according to a statement from Binance.
(Update comment from GMEX manager in seventh paragraph.)
Most read from Bloomberg Businessweek
©2022 Bloomberg LP
