[Feature] Mango Markets: Juicy Target for a Hundred Million Exploit

On October 12, Mango, a decentralized financial platform based on Solana, was exploited for about $116 million dollars.

In addition, Mango also suffered a secondary attack by hackers as they manipulated the DAO proposals.

1. According to a deep dive analysis by CertiK Skynet, the exact plan of attack is as follows:

First, the attackers injected $5 million into the first account (CQvKSNnY...) and subsequently shorted 483 million units of MNGO-PERP.

Following that, the attacker then funded the second account (4ND8FVPjU...) and then longed 483 million units of MNGO-PERP at $0.0382 per unit.

The attacker made a profit on the second account by manipulating the market price of MNGO on Switchboard and Pyth oracles to $0.15+, further causing a mark-to-market increase in the value in the second account.

Shortly after, the second account was used to max out the borrows on other tokens on Mango, including BTC (sollet), USDT, SOL, mSOL and USDC and transferred out. The net value extracted by the account totaled about $116 million.

2. The epic DAO Governance manipulation of Mango

After stealing the assets, the hacker launched a proposal in Mango -> to use $70 million from the treasury to repay bad debts.

After the proposal is approved, approximately $40 million worth of tokens will be returned to Mango by the hacker. The hacker also asked for the remaining hacked funds to be considered as bug bounty and that no criminal investigation is to be pursued.

Hacker then used stolen governance tokens to vote "yes" on the proposal.

Note: At present, the number of voting participants has exceeded 30 million, and the proposal can only be passed if the number of approval votes exceeds 100 million.

3. The impact of the event

UXD Protocol with their decentralized stablecoin UXD officially announced their total exposure of $19,986,134.9037 in Mango and assured users that their insurance fund has more than enough capital to cover losses.

The Total Value Locked (TVL) in Solana also fell to US$1.04 billion at 11:00 on the same day, with a 24-hour decline of 19.9%.

Yield aggregation platform TulipProtocol has limited exposure in Mango with only USDC/Ray strategy vaults losing about $2.5 million USDC and 66,721 RAY.

4. Timeline of the full exploit on Mango

October 12, 7:00 AM

OtterSec tweeted that Solana-based decentralized finance platform Mango was drained for over $100M.

October 12, 7:36 AM

In response to the potential $100 million attack, Mango said it was investigating an incident of hackers extracting funds from Mango through oracle price manipulation and was taking steps to have third parties freeze liquidity.

As a precaution, Mango will be disabling deposits on the front end and will provide updates as the situation develops, and are open to discussing a bounty for the return of funds.

October 12, 8:20 AM

UXDProtocol stated that they had a total exposure of $19,986,134.9037 in Mango and assured users that their insurance fund has more than enough capital to cover losses. Users can also redeem these funds once Mango recovers.

October 12, 9:00 AM

After stealing the assets, the hacker launched a proposal in Mango to use $70 million from the treasury to repay bad debts.

After the proposal is approved, approximately $40 million worth of tokens will be returned to Mango by the hacker. The hacker also asked for the remaining hacked funds to be considered as bug bounty and that no criminal investigation is to be pursued.

Hacker then used stolen governance tokens to vote "yes" on the proposal.

Note: At present, the number of voting participants has exceeded 30 million, and the proposal can only be passed if the number of approval votes exceeds 100 million.

October 12, 12:30 PM

Mango released a detailed report on the attack.

2 accounts funded with USDC took an outsized position in MNGO-PERP.

Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes.

This led to Switchboard and Pyth oracles updating their MNGO benchmark price to $0.15+.

This further caused a mark-to-market increase in the value of the account that was long MNGO-PERP from the unrealized profit.

This allowed the account to borrow and withdraw BTC (sollet), USDT, SOL, mSOL, USDC out of the Mango protocol, maxing out the borrows available from the $190 million equivalent deposits on the platform.

At 10:37 on October 12th, Mango program instructions were frozen to prevent any user from further interacting with the protocol.

Mango DAO's priorities are to prevent any further unnecessary losses, securing depositor funds for the Mango Protocol, and try to salvage some of the value of Mango DAO.

Mango believes the most constructive way to resolve this is to continue communicating with people responsible for the incident and gain control of the funds removed from the protocol to resolve the issue amicably.