Mango Markets is a platform for cross-collateralized leverage trading. On October 12, 2022, an attacker drained over $116M worth of assets by manipulating the oracle price data.
Exploit Details
The attacker used over $5M USDC to fund an account, took a short MANGO-PERP position, and offered 488M MANGO-PERP to sell at $0.0382. Next, he funded another account with additional $5M USDC, took a long MANGO-PERP position, and bought 488M MANGO-PERP. Due to low liquidity on the exchange between MANGO and USDC, the attacker was able to pump the price of MANGO on various exchanges 5-10x in a matter of minutes. The updated prices by Oracles were pumped up to $0.91 per unit and allowed the attacker to take out a loan of $116M worth and withdraw BTC (Sollet), USDT, SOL, mSOL, USDC from Mango.
After the exploit, the hacker proposed on the Mango DAO vote that he would keep the $70M bounty and send back $50M if Mango Markets uses the remaining funds to pay back users with and without bad debt and, in addition, will not pursue any criminal investigations or freezing of funds once the tokens are sent back. Finally, the Mango DAO offered a $47M worth bounty along with the promise not to press charges if he sent back $67M worth of tokens.
Shortly after the exploit, the identity of the exploiter was revealed; the man’s name was Avraham Eisenberg, and he didn’t really hide. Instead, allegedly, he created a Twitter account where he bragged about the exploit and gained lots of followers. Even though a part of the stolen funds was returned as per the DAO vote, the U.S. Department of Justice announced the arrest of Abraham Eisenberg, and later on, the CFTC (Commodity Futures Trading Commission) filed charges against him along with Mango Markets.
In simple words, unlike Wormhole or Cashio, Mango Markets wasn’t hacked at all, it was exploited. Avraham Eisenberg pumped the price of the Mango’s native token, then sold, thus dumped the price and profited from the spread.
References
