In the second $100 million DeFi hack this week, Mango Markets was drained of $100 million in funds due to an exploit. Mango Markets tweeted Tuesday evening that a hacker was able to drain funds from Mango via oracle price manipulation.
Just last Thursday, $100 million was stolen from Binance Smart Chain, another DeFi protocol.
According to blockchain auditing website OtterSec, the attacker temporarily increased the value of their security and then took out loans from the Mango treasure.
Mango Markets is a Solana-based platform for trading digital assets on the Solana blockchain for spot margin and perpetual futures trading. Mango Markets is managed by Mango DAO.
“It’s an economic design flaw,” said OtterSec founder Robert Chen Decrypt via Telegram, adding that it is a risk that Mango Markets had already acknowledged.
“At 6:19pm ET, an attacker funded account A with 5mm USDC collateral,” tweeted Joshua Lim, former head of derivatives at Genesis Global Trading.
As Lim explained, the attacker then offered 483 million units of MNGO perps (perpetual contracts) on Mango Market’s order book. Then at 6:24 PM ET, the attacker funded another account with 5 million USDC collateral to buy the 483 million units of MNGO men at $0.03 per unit.
At 18:26 ET, the attacker began moving the Mango spot market price, increasing the price to $0.91 and the value of 483 million MNGO to $423 million.
The attacker then took out a loan of $116 million, leaving Mango’s treasury with a negative balance of -116.7 million. Assets drained include USDC, MSOL, SOL, BTC, USDT, SRM and MNGO, wiping out all of Mango’s liquidity.
In response, Mango Markets says it has disabled deposits and is taking steps to freeze third-party funds.
A Twitter user noted that the attacker was funded 5.5 million by FTX, prompting FTX CEO Sam Bankman-Fried to respond that the company is investigating.
Mango Markets has offered the attacker the chance to collect a bug bounty in exchange for returning the stolen funds.
Editor’s note: this article has been updated to note that Joshua Lim is no longer affiliated with Genesis Global Trading.
Stay up to date on crypto news, get daily updates in your inbox.