Mango Market Exploit: A DeFi cybercrime disguised as “Good Intentions”

HomeDeFi
Share this article
Subscribe for weekly updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Hacker Screen

Solana blockchain is not new to manipulations, attacks, and controversy. Last week, the news of over $100 Million stolen from a Solana-based derivative exchange recently filled the air. 

Mango Markets reported on its Twitter account that it was manipulated. Due to market conditions, the liquidity of most DeFi protocols is not as robust as in 2021. In Mango Market's case, the hacker stole $116 million, rendering the exchange insolvent. Accordingly, the DEX had nothing - not even enough money to refund users.

This event caused a lot of fuss on social media and crypto communities. Many said attacks like this are common and easy, and almost anyone with significant funds can exploit a decentralized exchange.

 

Nonetheless, the big questions are how this attack happened, who is responsible, and how to prevent such hacks in the future. 

What happened?

This manipulation started around 6:19 PM on October 11. The hacker moved 5 million USDC from the FTX exchange to a Solana wallet. Then, they placed a buy order of 483 million MNGO tokens. Finally, the hacker sent 5 million USDC to another Solana wallet and used this to settle the buy order. 

These trading positions allowed the attacker to manipulate MNGO's price from $0.03 to $0.91. With the 483 million MNGO tokens now worth over $400 million, it was enough collateral to borrow over $100 million. 

So, the hacker went on to borrow $116 million worth of cryptocurrencies from Mango Markets, using his over-leveraged MNGO position as collateral. As a result, Mango Markets lost all liquidity. Its insurance funds were insufficient to settle all users and return their assets. 

Intentions of the exploiter

Bad debt bailout

At some point in June 2022, Solend almost became insolvent after loaning 88% of its USDC to a single borrower. Therefore, Solend and Mango Markets had to come to an agreement that helped Solend back to its feet. The agreement allowed Solend to move debts of $25 million in debts to Mango Markets. 

So, Mango Market's attacker offered to return part of the stolen money to settle the bad debts created in June. This proposal seemed to be a just cause in favor of Mango Markets users. 

Yet, MNGO holders did not support it, as the hacker's proposal got over 90% "NO votes" from the DAO. This lack of support is understandable since the attacker's action has caused much loss for traders using Mango Markets. 

Accordingly, Mango Markets requested that the hacker refund specific amounts of stolen assets. According to Mango Markets, the hacker had to return twelve crypto assets, including USDC, MNGO, etc. In addition, they had 12 hours to refund at least eight of the cryptocurrencies as "a show of good faith."

On October 15, Mango Markets tweeted that it had received about $67 million worth of cryptocurrencies, implying that the hacker complied with the DAO's proposal. This refund will help Mango protocol in repaying any leftover bad debt. Also, its users can get their deposits back, and there will be no criminal investigations.

Personal Interest?

Meanwhile, other facts suggest that the hacker's intentions were not only about helping to resolve bad debts. Mango Markets is not requesting any additional refunds apart from the $67 million it has received. 

So, the hacker seems to have made away with about $49 million worth of cryptocurrencies. Remember, these assets originally belonged to Mango Markets users. If the hacker did not intend to cart away funds, why not return the entire $116 million? 

Identity of the exploiter

Attacker Doxxed

Not long before the attack, two Discord users were discussing how to use Oracles to manipulate DeFi markets. One even mentioned, "take a long position, and you make the numbers go up." 

The investigative journalist who uncovered those messages also pointed to Avraham Eisenberg as one of the parties in the discussion. 

After the attacker was doxxed by an online investigator, it might seem that Avraham was just a random person discussing random things. However, that is not the case. 

Attacker comes clean

Soon after the hack, a Twitter user with the profile name Avraham Eisenberg posted a tweet claiming responsibility for the Mango Markets hack.

While reporting his exploits, he did not call his actions a hack. Instead, he said his team performed highly profitable trading operations. Also, Avraham noted that his actions led to the insolvency of Mango Markets.

Past exploits of Avraham

Consider two past events where Avraham might have exploited other DeFi platforms. 

In February 2022, Avraham, who was part of the Fortress DAO team, single-handedly took over the DAO alongside over $14 million of its funds. At that time, Fortress DAO was failing, and the team tried to refund all the platform's users. 

However, it was reported that Avraham Eisenberg began making DAO proposals and using the tokens he took over to vote in favor of the proposals without the consent of other team members. In addition, he performed various fraudulent activities that milked all the available liquidity and made away with the treasury funds of Fortress DAO.  

Likewise, Avraham reportedly tried to pull liquidity from FODL Finance as he did on Mango Markets. He reportedly deposited 2.1 million USDC into FODL, entered multiple trading positions, and liquidated his accounts a few times. 

He hoped to pump FODL tokens falsely and use them as collateral to borrow millions. However, these attempts did not seem to succeed in FODL Finance as the liquidity pool created ended in bad debt. 

Mango Market, Oracle, or Exploiter: Who should be held responsible?

Although Avraham has claimed responsibility for the exploit, Mango Markets also has its share of the blame. According to Avraham, his team only took advantage of apparent flaws in Mango Market's design. 

He justified this manipulation, claiming his team performed "legal open market actions" without fraudulent intentions. However, Mango Market became insolvent after his team profited from their leveraged positions. Also, Avraham blamed Mango Markets for setting trading parameters without considering its consequences.

At the same time, some blamed Switchboard and Pyth, DeFi oracles that report live data and prices of Solana tokens. The oracles were accused of reporting false prices of MNGO. However, Mango Market's CEO has concluded that none of these service providers are at fault. 

Those blaming Switchboard and Pyth might have thought that the oracles worked alongside the hacker to manipulate the price. Such a situation is possible since Mango's smart contracts will copy the live value of MNGO from the oracles and determine how much MNGO a user needs to borrow a certain amount. 

But that is not necessarily the case. Since Avraham's team has falsely pushed prices on the exchange, Switchboard and Pyth will copy and report whatever is happening in the live market. They do not set the parameters. 

So, Mango DAO who set the lending and borrowing rules of this exchange, and Avraham who exploited the flaws in these rules hold the blame. 

What can be done to prevent a recurrence?

Earlier, this article noted that Solend almost became insolvent in June 2022 due to the actions of a single user. It is the same case with Mango Markets as well. One user could borrow all the available liquidity simply because they had the collateral. 

Thus, two easy solutions may help DeFi lending platforms prevent such extreme cases in the future. 

# Solution 1

First, decentralized lenders can set a maximum borrowing amount. This borrowing cap does not have to be a rigid value (e.g., $2 million). Instead, they could disallow smart contracts from giving out more than a certain percentage (e.g., 5%) of the protocol's total liquidity to a single user. 

# Solution 2

Another solution is setting specific parameters that alert protocol developers of massive loan requests. Also, the parameters might halt such a wallet from temporarily operating on the protocol until the devs are sure such a transaction is legit and won't pull everyone's money. 

Written by
Trust Akpobome

Solana blockchain is not new to manipulations, attacks, and controversy. Last week, the news of over $100 Million stolen from a Solana-based derivative exchange recently filled the air. 

Mango Markets reported on its Twitter account that it was manipulated. Due to market conditions, the liquidity of most DeFi protocols is not as robust as in 2021. In Mango Market's case, the hacker stole $116 million, rendering the exchange insolvent. Accordingly, the DEX had nothing - not even enough money to refund users.

This event caused a lot of fuss on social media and crypto communities. Many said attacks like this are common and easy, and almost anyone with significant funds can exploit a decentralized exchange.

 

Nonetheless, the big questions are how this attack happened, who is responsible, and how to prevent such hacks in the future. 

What happened?

This manipulation started around 6:19 PM on October 11. The hacker moved 5 million USDC from the FTX exchange to a Solana wallet. Then, they placed a buy order of 483 million MNGO tokens. Finally, the hacker sent 5 million USDC to another Solana wallet and used this to settle the buy order. 

These trading positions allowed the attacker to manipulate MNGO's price from $0.03 to $0.91. With the 483 million MNGO tokens now worth over $400 million, it was enough collateral to borrow over $100 million. 

So, the hacker went on to borrow $116 million worth of cryptocurrencies from Mango Markets, using his over-leveraged MNGO position as collateral. As a result, Mango Markets lost all liquidity. Its insurance funds were insufficient to settle all users and return their assets. 

Intentions of the exploiter

Bad debt bailout

At some point in June 2022, Solend almost became insolvent after loaning 88% of its USDC to a single borrower. Therefore, Solend and Mango Markets had to come to an agreement that helped Solend back to its feet. The agreement allowed Solend to move debts of $25 million in debts to Mango Markets. 

So, Mango Market's attacker offered to return part of the stolen money to settle the bad debts created in June. This proposal seemed to be a just cause in favor of Mango Markets users. 

Yet, MNGO holders did not support it, as the hacker's proposal got over 90% "NO votes" from the DAO. This lack of support is understandable since the attacker's action has caused much loss for traders using Mango Markets. 

Accordingly, Mango Markets requested that the hacker refund specific amounts of stolen assets. According to Mango Markets, the hacker had to return twelve crypto assets, including USDC, MNGO, etc. In addition, they had 12 hours to refund at least eight of the cryptocurrencies as "a show of good faith."

On October 15, Mango Markets tweeted that it had received about $67 million worth of cryptocurrencies, implying that the hacker complied with the DAO's proposal. This refund will help Mango protocol in repaying any leftover bad debt. Also, its users can get their deposits back, and there will be no criminal investigations.

Personal Interest?

Meanwhile, other facts suggest that the hacker's intentions were not only about helping to resolve bad debts. Mango Markets is not requesting any additional refunds apart from the $67 million it has received. 

So, the hacker seems to have made away with about $49 million worth of cryptocurrencies. Remember, these assets originally belonged to Mango Markets users. If the hacker did not intend to cart away funds, why not return the entire $116 million? 

Identity of the exploiter

Attacker Doxxed

Not long before the attack, two Discord users were discussing how to use Oracles to manipulate DeFi markets. One even mentioned, "take a long position, and you make the numbers go up." 

The investigative journalist who uncovered those messages also pointed to Avraham Eisenberg as one of the parties in the discussion. 

After the attacker was doxxed by an online investigator, it might seem that Avraham was just a random person discussing random things. However, that is not the case. 

Attacker comes clean

Soon after the hack, a Twitter user with the profile name Avraham Eisenberg posted a tweet claiming responsibility for the Mango Markets hack.

While reporting his exploits, he did not call his actions a hack. Instead, he said his team performed highly profitable trading operations. Also, Avraham noted that his actions led to the insolvency of Mango Markets.

Past exploits of Avraham

Consider two past events where Avraham might have exploited other DeFi platforms. 

In February 2022, Avraham, who was part of the Fortress DAO team, single-handedly took over the DAO alongside over $14 million of its funds. At that time, Fortress DAO was failing, and the team tried to refund all the platform's users. 

However, it was reported that Avraham Eisenberg began making DAO proposals and using the tokens he took over to vote in favor of the proposals without the consent of other team members. In addition, he performed various fraudulent activities that milked all the available liquidity and made away with the treasury funds of Fortress DAO.  

Likewise, Avraham reportedly tried to pull liquidity from FODL Finance as he did on Mango Markets. He reportedly deposited 2.1 million USDC into FODL, entered multiple trading positions, and liquidated his accounts a few times. 

He hoped to pump FODL tokens falsely and use them as collateral to borrow millions. However, these attempts did not seem to succeed in FODL Finance as the liquidity pool created ended in bad debt. 

Mango Market, Oracle, or Exploiter: Who should be held responsible?

Although Avraham has claimed responsibility for the exploit, Mango Markets also has its share of the blame. According to Avraham, his team only took advantage of apparent flaws in Mango Market's design. 

He justified this manipulation, claiming his team performed "legal open market actions" without fraudulent intentions. However, Mango Market became insolvent after his team profited from their leveraged positions. Also, Avraham blamed Mango Markets for setting trading parameters without considering its consequences.

At the same time, some blamed Switchboard and Pyth, DeFi oracles that report live data and prices of Solana tokens. The oracles were accused of reporting false prices of MNGO. However, Mango Market's CEO has concluded that none of these service providers are at fault. 

Those blaming Switchboard and Pyth might have thought that the oracles worked alongside the hacker to manipulate the price. Such a situation is possible since Mango's smart contracts will copy the live value of MNGO from the oracles and determine how much MNGO a user needs to borrow a certain amount. 

But that is not necessarily the case. Since Avraham's team has falsely pushed prices on the exchange, Switchboard and Pyth will copy and report whatever is happening in the live market. They do not set the parameters. 

So, Mango DAO who set the lending and borrowing rules of this exchange, and Avraham who exploited the flaws in these rules hold the blame. 

What can be done to prevent a recurrence?

Earlier, this article noted that Solend almost became insolvent in June 2022 due to the actions of a single user. It is the same case with Mango Markets as well. One user could borrow all the available liquidity simply because they had the collateral. 

Thus, two easy solutions may help DeFi lending platforms prevent such extreme cases in the future. 

# Solution 1

First, decentralized lenders can set a maximum borrowing amount. This borrowing cap does not have to be a rigid value (e.g., $2 million). Instead, they could disallow smart contracts from giving out more than a certain percentage (e.g., 5%) of the protocol's total liquidity to a single user. 

# Solution 2

Another solution is setting specific parameters that alert protocol developers of massive loan requests. Also, the parameters might halt such a wallet from temporarily operating on the protocol until the devs are sure such a transaction is legit and won't pull everyone's money. 

Written by
Trust Akpobome