The disappearing mango - the whole story of MangoFarmSOL exit scam

Event Overview

MangoFarmSOL positions itself as a staking protocol on the Solana network , encouraging users to deposit SOL and receive rewards. The project gained attention from the Solana community by promising an airdrop on January 10th.

However, the promise of January 10 was never fulfilled. On January 6, 2024, MangoFarmSOL implemented an exit scam, transferring the 13,512 SOL deposited by users from the project contract (approximately US$1.26 million at the time), and then deployed a malicious front end to mislead users into authorizing "Emergency migration" and theft of approximately $60,000. This is the largest exit scam we have uncovered so far in 2024.

Subsequently, MangoFarmSOL closed its social accounts and website.

Similar to the xKingdom incident we reported before, this incident once again highlights the inherent risk of exit scams in the DeFi field and emphasizes that users Be vigilant about the importance of awareness and team KYC.

Scam Timeline

Step One : Lay a trap

① On January 3, the project used social media KOL promotion to improve its credibility and attract more users.

② On January 5, the team published an article claiming that it would airdrop MANGO tokens on January 10. You can get more rewards by staking SOL and recommending other users.

③ From January 3 to January 7, users began to deposit SOL into the MangoFarmSOL contract. Lured by the promise of MANGO token airdrops and influenced by online marketing, the protocol’s TVL exceeded $1.3 million.

Step 2: Implement the scam

① Stealing contract funds: The MangoFarmSOL team launched a scam and deposited users into the Mango contract 13,514 SOL (approximately $1.26 million) was withdrawn to wallet 8ggvi.

?First transaction: 135 SOL transferred from Mango contract (Bfg5SM) to wallet 8ggvi.

?Second transaction: 13,379 SOL transferred from Mango contract (Bfg5SM) to wallet 8ggvi.

② Deploying a malicious front-end to cheat again: Subsequently, the team also used the previous theft incident to deploy a front-end containing malicious code under the guise of "emergency migration" . The project’s official social media account also posted the malicious frontend, tricking users into conducting transactions that resulted in the theft of approximately $60,000 in additional assets.

③ Completely disappeared: MangoFarmSOL subsequently deactivated its social media Media accounts and official websites were shut down and funds began to be transferred.

Step Three: Fund Transfer

Flow of Stolen Funds in Mango Contract

① Initial transfer: There are a total of 13.5K SOL in the Mango contract, worth approximately US$1.26 million. After being stolen, they were sent to the address 8ggvi....ejND7.

② Mixing & Conversion: Next, 9,458 SOLs were sent to 4nBETJ to obfuscate the funding link; all SOLs in 8ggvi and 4nBE were subsequently converted to USDC.

③ Cross-chain to Ethereum: These USDC are cross-chained from the Solana network to Ethereum through Wormhole, and these USDC are sent to 4 different ETH addresses through multiple transactions.

380k USDC crossed the chain to 0x09e3 after 4 transactions

< /p>

319k USDC cross-chain to 0xc504

351k USDC cross-chain to 0x6898

217k USDC cross-chain to 0x8816

④ Final cleaning: After entering the Ethereum network, USDC is replaced by ETH. The stolen funds were then laundered through Railgun (a privacy mixer) and exchanged through eXch (an instant exchange) to further obfuscate the funds.

Transaction example transferred to Railgun

Malicious front end steals fund flow

① Integration and conversion: User assets stolen through the malicious front-end are integrated into SOL, and then converted into USDC of approximately $58,600.

② Cross-chain to Ethereum through Allbridge: These USDC are cross-chained to the Ethereum network through 2 transactions on Allbridge, and the address is 0x7ca...d8fec.

③ Final cleaning: USDC bridged to Ethereum is exchanged for 26 ETH. These funds are then deposited into FixedFloat multiple times.

Final distribution of stolen funds

The stolen funds that cross-chain to the Ethereum network are ultimately concentrated in three places:

• eXch: about 292ETH

• Railgun: about 263ETH

• FixedFloat: about 26ETH

  < /p>

Experience summary

The MangoFarmSOL scam is the largest exit scam of 2024 so far. The methods of this scam are similar to the Harvest Keeper incident in 2023. These two projectsdeployed malicious frontends after the first theft to further steal user funds.

The MangoFarmSOL exit scam caused an estimated loss of $1.32 million, highlighting the urgent need for decentralized project review.