Various reports indicate that the Solana-based trading and lending platform Mango Markets was hacked; an analysis of the hack published by Certik explains that the attackers manipulated the price of the project’s native token, Mango (MNGO), thereby allowing them to borrow $117 million against the abused collateral.
Mango Markets hacked for $117 million, blockchain security firm summarizes attack vector
On Tuesday, Solana-based Mango Markets’ platform was hacked for $117 million. The team tweeted about the issue on October 11 at 7:36 pm ET.” We are currently investigating an incident where hackers drained funds from Mango through oracle price manipulation.” Mango Market’s Twitter accountelaborated. “We are taking steps to freeze funds in flight by third parties. We have disabled deposits on the front end as a precautionary measure and will update you as the situation develops.”
blockchain security and auditing firmCertiksummarized the Mango Market hack in an after-action report, explaining that the team was able to manipulate the token, Mango (MNGO), by hackers.” The attackers used two addresses to manipulate the price of Mango’s native token and collateral asset, MNGO, from $0.038 to a peak of $0.91.” Certik explained in a note sent to Bitcoin.com News.” This allowed them to borrow heavily against the $MNGO collateral, which was about $117 million, but this figure fluctuated as the price of the affected tokens reacted to the news.”
Attackers were able to manipulate the price of MNGO tokens and borrow more assets than they should have been able to exploitively.
Blockchain security firmAccording to Hacken, the hacker started with roughly $5 million USDC to reach its goal. Mango Market’s official Twitter account confirmed that two USDC-funded accounts took large long positions in “MNGO-PERP.” The underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes,” MangosaidMango added that the Oracle provider was not at fault for the incident. He emphasized.
We would like to add a clarification and mention here that the Oracle provider was not at fault in any way. The Oracle price report worked as it should.
Meanwhile, blockchain security and auditing firm Certik revealed that the attack vector was allegedly known as of March 2022.” The vulnerability here was due to the thin liquidity of the MNGO/USDC market, which was used as a price reference for MNGO perpetual swaps,” Certik’s summary adds. “With only a few million USDC at their disposal, attackers were able to drive MNGO prices up 2,394%. This exact attack vector seems to have been raised on Mango’s Discord channel in March of this year,” Certik’s postmortem concludes.
Image credits: Shutterstock, Pixabay, Wiki Commons