Mango $100M Attack: How a Whale Swindled a Solana DeFi Favorite
An attacker manipulated Mango Markets to drain over $100 million worth of crypto Tuesday. They’ve since engaged with the project’s DAO in hopes of evading legal charges.
- A whale manipulated the price of Mango Markets' MNGO token to drain over $100 million from the platform.
- The attacker has put forward a DAO proposal that would see the project commit its treasury to paying off the bad debt.
- Mango CEO Daffy Durairaj has said that making users whole is his top priority.
Share this article
In something of an audacious move, the attacker used their MNGO tokens to vote on their own Mango DAO governance proposal.
Whale Targets Mango
Days after BNB Chain’s bridge was hit by a $566 million exploit, Mango Markets has suffered a nine-figure attack. The Solana DeFi protocol was targeted late Tuesday after a whale attacker found a way to profit from manipulating its markets. Mango is a decentralized trading venue built on the Solana blockchain. It offers margin and futures trading, letting Solana DeFi users bet on the price performance of assets like SOL, ETH, and BTC. “Long & short everything,” the tagline on its website reads.
According to a Wednesday tweet storm from the Mango team, the perpetrator used their USDC holdings to take out two large positions in perpetual futures contracts for the MNGO token. This caused an artificial price spike, which allowed the attacker to take out a series of large loans, effectively draining the protocol of its liquidity. They drained over $100 million in a variety of digital assets, including USDC, MSOL, SOL, BTC, USDT, MNGO, and SRM.
While the Mango team said that the MNGO price manipulation was exacerbated after oracles updated to show an inflated price for the token, the oracles worked as designed. Contrary to some reports, this was not an oracle-specific attack, but rather a classic example of market manipulation. The whale was able to execute the attack because they had millions of dollars worth of USDC collateral, and they took advantage of the thin trading on the Mango platform. Such attacks can pose a threat to other lending protocols like Mango with similarly low trading activity.
Market manipulation is illegal in the traditional world, but attackers often gravitate toward DeFi, an unregulated market that’s sometimes referred to as “the Wild West of finance.” Even as regulators have started monitoring the space more closely with a focus on stablecoins and protocol thefts, it may take years for them to investigate a case and there are many incidents they miss. That makes DeFi a fertile ground for pump-and-dump antics like those carried out by the Mango whale.
Nonetheless, the whale’s moves following the attack suggest that they are aware of potential criminal proceedings. Posting on the Mango DAO governance forum, the attacker presented a proposal that would see them return the majority of the drained funds if the Mango team agreed to use $70 million worth of USDC from its treasury to repay the protocol’s “bad debt.” If passed, the treasury would go to Mango users who had deposited to the now-drained protocol.
In their note, they also suggested that voting for the proposal would count as an agreement to drop any plans for a criminal investigation. It read:
“By voting for this proposal, mango token holders agree to pay this bounty and pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above.”
The proposal puts the Mango team up against its own users, and it also attempts to absolve the attacker of any wrongdoing in the eyes of the law. In reality, however, a DAO governance proposal is unlikely to pass with law enforcement; if authorities decided this attack was worth investigating, they wouldn’t likely hesitate because the Mango community agreed not to press charges.
What’s more, the proposal is unlikely to be taken too seriously given the current voting results. The attacker used 32.9 million MNGO tokens to approve their own suggestion, roughly one third of the voting power required for the proposal to pass. It’s due to close early Saturday.
What Comes Next?
While it’s unclear how Mango’s future will look, the team said it froze the protocol early Wednesday to prevent anyone from making new deposits. It also said that preventing further losses, making users whole, and rebuilding in the wake of the attack were “priorities” for the DAO.
In attacks such as this one, teams often offer bug bounties to their attackers for the safe return of the funds. While Mango has not yet made a bounty offer to the attacker, the project’s CEO Daffy Durairaj weighed in on the bad debt proposal. They wrote:
“Hey this is Daffy, we’re working through tallying the losses and limiting losses wherever we can. I can’t give a concrete proposal yet, but these are my objectives in order of importance: 1. You are cleared of any wrongdoing 2. You make a healthy profit 3. All Mango depositors are made whole 4. Mango DAO maintains some treasury to rebuild What do you think?”
Durairaj did not comment on whether the DAO would commit $70 million from its treasury, but his post hints that he hopes the DAO keeps at least some of its reserves.
Durairaj also posted a tweet early Wednesday, reiterating to Mango depositors that he would do “everything in [his] power” to recover their funds.
Both Durairaj and the attacker have suggested plans that attempt to make Mango users whole and clear the attacker’s name, letting them make off with a tidy profit in the process. While Durairaj has also expressed hopes for the team to “rebuild” in the fallout from the incident, whether Mango will be able to survive such a big financial and reputational hit remains to be seen.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.