Is This the Trader Who Exploited Mango Markets for $100M?

DeFi protocol Mango Markets was exploited for $100 million yesterday. Suspicious on-chain activity leads to a wallet with an ENS name—and a possible owner.

Is This the Trader Who Exploited Mango Markets for $100M?
Shutterstock cover by Alexander Geiger

Key Takeaways

  • Decentralized perpetual futures exchange Mango Markets was drained of $100 million yesterday.
  • A trader by the name of Avraham Eisenberg recently discussed attacking protocols in a similar fashion on a private Discord server.
  • On-chain activity suggests an Ethereum address could have received $30 million from the exploit.

Share this article

One sleuth believes he knows the identity of the person responsible for Mango Markets’ $100 million attack, but how reliable is his evidence?

Mango Markets Exploited

Crypto trader Avraham Eisenberg allegedly discussed exploiting a protocol on a Discord server for a nine-figure loot. Six days later, Mango Markets was drained of $100 million. 

According to independent investigative reporter Chris Brunet, Mango Markets was drained of its funds yesterday by crypto trader Avraham Eisenberg. Brunet claims Eisenberg had previously talked in a private discord server about the possibility of attacking a protocol in a similar way to how Mango Markets was exploited.

Mango Markets is a decentralized derivatives exchange on Solana. On October 11, at around 22:19 UTC, an attacker began artificially inflating the price of the illiquid MNGO token from $0.3 to $0.91 by taking out a large position in Mango’s perpetual futures contracts. They then used their significant unrealised profits as collateral to borrow assets belonging to the protocol, draining over $100 million from its treasury.

Discord Discussion

In his article, Brunet claims Eisenberg floated the idea of attacking a lending protocol on Discord on October 5. “I’m investigating a platform that could maybe lead to a 9 figure payday,” Eisenberg allegedly wrote under his pseudonym, Vires Creditor and Honest Person. When another Discord member suggested sharing the information with famous crypto white hat hacker samczsun, Eisenberg responded that the protocol’s Treasury was small and that he most likely wouldn’t get a large bounty if he publicized the attack vector.

He then explained the attack itself: “You take a long position. And then you make [the price] go up. And then you withdraw all the protocol’s [total locked value].” When another Discord member explicitly said it would be theft, Eisenberg replied he considered it as an act of arbitrage, meaning a trade that aims to take advantage of differing prices for certain assets.

Eisenberg further stated that Ethereum lending protocol Aave could be exploited this way, though the attack would require at least $10 million upfront to work. Eisenberg called that particular exploit “more annoying than what I have in mind.”

Brunet provided screenshots of the conversation on his Substack page. When contacted by Crypto Briefing, Brunet claimed the conversation had been deleted from the Discord server by the channel’s moderators out of panic. Crypto Briefing has, therefore, not been able to verify the authenticity of these screenshots independently. However, if they are accurate, it would mean that Eisenberg was discussing an exploit remarkably similar to the one that shook Mango Markets six days before it happened. 

On-Chain Activity

Brunet offered a screenshot of Eisenberg providing on June 4 an ENS name for one of his Ethereum addresses: ponzishorter.eth. That ENS name is linked to an account that begins with 0xADBaB, which is the account that registered the name in the first place.

As Brunet pointed out, ponzishorter.eth received exactly $7,500,000 in USDC directly from Circle at 23:28:35 UTC. Brunet found the transaction suspicious as the Mango attacker had sent $7,519,769,12 to Circle from Solana at 23:27:07 UTC, meaning the two transactions were sent off within a minute and twenty-eight seconds from each other.

Crypto Briefing subsequently found two additional transfers that were eerily timed. The attacker first sent Circle $5,000,000 in USDC at 23:14:54, and the ponzishorter.eth wallet received $4,500,000 in USDC at 23:16:35, about one minute and thirty-nine seconds later. The attacker then sent an additional $20,000,000 in USDC to Circle at 23:17:38; a minute and nine seconds later, at 23:18:47, ponzishorter.eth received $18,000,000 in USDC. 

While the ponzishorter.eth wallet consistently received lower sums than the ones sent to Circle by the attacker, the timing around the transactions warrants suspicion.

Intriguingly, the ponzishorter.eth owner also chose to immediately swap his $30 million in USDC for DAI. Circle has been known to blacklist and freeze the USDC in addresses belonging to hackers. It’s possible the ponzishorter.eth owner purposefully traded his tokens for decentralized stablecoins in order to avoid this.

It’s worth noting that the Mango attacker sent an additional $25 million to Circle at around the same time. The transaction was not mirrored on the ponzishorter.eth, which indicates the attacker may have at least one other wallet, or that they kept the funds on their Circle account (which is unlikely.)

When reached for comment, a spokesperson for Circle told Crypto Briefing, “Circle is investigating the incident in question and will take appropriate action.”

So far, the link between ponzishorter.eth and Eisenberg is contingent on the screenshot provided by Brunet, and there is no conclusive proof that he is the culprit in this case. It’s not the first time Eisenberg has faced similar allegations, however. In February, he was accused on Twitter of exploiting Fortress DAO for $10 million.

Crypto Briefing has reached out to Eisenberg for comment but had not received a reply at press time.

15/10 Update: Avraham Eisenberg has admitted that he was involved in the attack. Read our update on the development here.

Disclosure: At the time of writing, the author of this piece owned BTC, ETH, and several other cryptocurrencies.

Share this article

Loading...