Mango Markets tweeted on October 12 that a hacker was able to steal $100 million from Mango via an oracle price manipulation.
“We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We are taking steps to have third parties freeze funds in flight,” tweeted Mango.
In accordance with the blockchain auditing website OtterSec, the attacker increased the collateral’s value and subsequently took out loans from Mango.
“It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury,” said OtterSec.
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022
“It’s an economic design flaw,” OtterSec founder Robert Chen told Decrypt on Telegram, adding that Mango Markets had already acknowledged the risk.
Joshua Lim, the Head of Derivatives at Genesis Global Trading said “”At 6:19 PM ET, an attacker funded account A with 5mm USDC collateral.”
Lim explained that the attacker later sold 483 million units of MNGO perp contracts on Mango Markets’ order
As of 6:24 PM ET, the attacker funded another account with 5 million USDC collateral for the purchase of those 483 million MNGO perps for $0.03 each.
At 6:26 p.m. ET, the attacker moved the Mango spot market price to $0.91, making it worth $423 million based on the value of 483 million MNGOs.
A loan of $116 million was taken out by the attacker, leaving Mango’s treasury with a negative balance of -116.7 million.
Mango Markets’ Response
Mango Markets responds by disabling deposits and freezing the fund using third-party.
“We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves,” said Mango.
Mango added, “We believe the most constructive way to approach this is to continue communicating with those responsible for the incident and in control of the funds removed from the protocol to attempt to resolve the issues amicably.”
Attacker was funded 5.5M from @FTX_Official
— wainuo (@ChenWainuo) October 11, 2022
As a result of a Twitter user’s observation that the attacker received 5.5M from FTX, the CEO of FTX replied saying the company was investigating.