An attacker manipulated pricing oracle data in order to steal over $100 million from the decentralized finance (DeFi) exchange Mango Markets, which is based in Solana. This gave the attacker the opportunity to get under-collateralized crypto loans.
On the Solana blockchain, customers of Solana’s Mango Markets are able to trade cryptocurrencies for spot margin and trade perpetual futures. In addition to this, it is administered by a decentralized autonomous organization known as Mango DAO.
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022
OtterSec, a blockchain auditing company, was the first to expose the issue on Twitter. According to the company, the attacker was able to modify their Mango collateral.
It would indicate that the adversary was successful in manipulating their Mango collateral. According to OtterSec, they artificially inflated their collateral worth over a short period of time and then took out enormous loans from the Mango treasury.
Robert Chen, the inventor of OtterSec, described it as a fault in the economic design. He went on to say that the MGNO governance token was being sold at a price that was far higher than it should be.
Because of this, the attacker was able to use it as collateral for massive loans, which he subsequently used to deplete Mango’s liquidity pools.
It’s kind of like a contest between lending money and borrowing money: if you have collateral that’s been overvalued, you can borrow against it, and that’s exactly what they did, according to Chen.
After then, the assailant obtained a loan in the amount of 116 million dollars, which resulted in a deficit of -116.7 million dollars in Mango’s treasury.
All of Mango’s liquidity was completely wiped out as a result of the draining of assets USDC, MSOL, SOL, BTC, USDT, and MNGO.
DeFi Attacks Are Getting More and More Rampant
Apparently, Mango Markets wasn’t the first DeFi platform to suffer a cyberattack in recent memory. After a cross-bridge exploit last week, BNB Chain lost 2 million BNB coins, valued $568 million. TempleDAO was similarly compromised, and the hacker removed $2.34 million in tokens from the platform.
Like Ethereum co-founder Vitalik Buterin previously claimed, despite the huge potential for a multi-chain web3 future, it is highly unlikely that cross-chains are viable owing to their inherent security concerns.