October 11th 2022, another high-profile hack hit the DeFi industry with over $117 million stolen from Mango Markets — a decentralized exchange (DEX) on the Solana network that offers traders up to 20x leverage on popular crypto trading pairs.
Summary of the Mango Markets $117 Million Hack
The yet-to-be identified hacker executed the exploit Mango Markets via a classic liquidity attack called “Oracle manipulation” – a vicious type of hack involving manipulation of the spot price of a DEX-listed token to take out outsized loans.
- The hacker initially deposited about $10m in USDC, using 5m of that to purchase 434MNGO tokens. They then proceeded to take a large, long position on MNGO perps (perpetual futures) using the Mango Markets DEX.
- By doing this they were able to pump the price of the MNGO tokens from $0.0382 to about $0.91 within minutes.
- The price pump allowed them access to an astronomically high amount of leverage, to take out over $117m worth USDC in loans using 434 million units of the overpriced MNGO tokens as collateral.
- With an outsized collateral account now worth over $300million they were able to borrow solid assets from the protocol and exit — netting a profit of over 100 million dollars in the process..
- In the aftermath, the hacker then submitted a proposal to the DAO that controls Mango, suggesting that in exchange for returning the stolen assets, they should receive a bounty as well as an unequivocal immunity from criminal proceedings.
- The hacker then went ahead to use the stolen tokens to Vote for the proposal.
Total Estimated Losses — $117 Million
Type of Hack — The hack perpetrated in the Mango Markets exploit is called Oracle manipulation.
Number of Victims & Affected Wallets — Upon cross-examination, it appears that the hack has effectively wiped out all available liquidity on Mango.Markets.
However, because this hack was not targeted as specific wallets or staking pools, the number of victims or DeFi users who will take a hit from this hack has not been identified. However it is expected that majority stakers and fund providers on the Mango Markets protocol will take significant losses on their portfolio.
Post Mortem & Recovery Efforts
After the hack was discovered, the Mango Markets team immediately suspended all withdrawals, perpetual futures markets and Spot positions.
In a statement released via Twitter, The team then promised to work on a recovery plan to make all users whole again.
“We computed every account’s equity in USDC and plan to reimburse as much as we can using the DAO treasury (subject to vote) and whatever tokens we’re able to recover.”
Mango Markets team (October 13, 2022.)
About 24hrs later, the team issued a public appeal to the hacker via a DAO proposal. In the proposal the team gave the hacker a 12hour ultimatum to refund the stolen funds by making a funds transfer into dedicated wallet addresses. In exchange, the team offered not to pursue any criminal investigations.
“The funds sent by you and the mango DAO treasury will be used to cover any remaining bad debt in the protocol. All mango depositors will be made whole.
By voting for this proposal, mango token holders agree to pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above.”
Mango Markets team (October 14, 2022.)
What is Oracle Manipulation?
Oracle manipulation, or Oracle price manipulation, is a type of exploit in the DeFi space where an oracle smart contract is manipulated by attackers, in order to create arbitrage situations or perpetuate theft.
Like most Liquidity pool-based DEXs, Mango Markets makes use of Automated Market Makers (AMM) to algorithmically estimate token prices based on the ratio of tokens in a pool. Trades, loans and staking transactions are all performed against a smart contract based on the current market dynamics involving the underlying liquidity pool (LP) i.e pools of token pairs that can be traded for each other. — MNGO-USDC.
And since trades are self-executing, it creates a loophole for hackers to manipulate a liquidity pool if they have large enough capital. Especially in a bear market where trading orders are fewer and pools are lean, it creates an added incentive for bad actors to execute an Oracle manipulation attack to devastating effect.
By depositing $5m in a pool and manipulating the MNGO token price from $0.0382 to about $0.91, the hacker was able to steal over $100m within minutes, by using the overpriced tokens as collateral to obtain seemingly legitimate loans.
Because the price was manipulated, those loans automatically become bad debts as the real value of the collateral MNGO tokens has since dropped below the original $0.0382 price.
Ways to Prevent Oracle Manipulation
Here are 4 effective ways for DEXs and DeFi users to protect themselves from falling victim to Oracle price manipulation and other related hacks.
- Bot Alerts
Transaction alerts, especially those involving large-volume trades should be amplified and sent out to stakeholders in real-time.
DEXs can create Bots accounts that will render trade orders in real-time to the public or members of their community of stakeholders. To do this, they can make use of various social media channels such as Twitter, Telegram, or Email. Price manipulation attacks are executed within minutes. And real-time transaction alerts allow stakeholders to be aware of outlier orders or suspicious transactions. The support team can quickly respond to limit damage or stop the hack completely.
- Triggers for Unusual Price Movements
DEXs can deploy smart-contract triggers withdrawal restrictions or restrict trade execution once certain types of suspicious transactions are spotted. i.e. when certain wallets execute trades that are beyond a certain frequency or volume limit.
This will buy the support Dev team ample time to examine the trading action for price manipulation characteristics.
- Vesting Schedule for Voting Power
To prevent voting power abuse, On-chain governance in DAOs should be designed such that token-based vote power vests overtime from acquisition. If a user purchases $5million worth of tokens, they shouldn’t be able to instantly exercise their maximum voting power.
This will help to prevent bad actors from using stolen tokens to pass auto-executable commands to cause further damage or frustrate recovery efforts.
- Get Cover
The ultimate form of protection against catastrophic losses is to purchase Cover for your crypto assets from DeFi Coverage protocols like InsurAce.io. With the Smart Contract Vulnerability cover, you can claim compensation when a DeFi protocol that you stake your funds on gets hacked.
During the infamous TerraUST crash in May 2022, InsurAce bailed out over 150 victims with around $11.7 million in payouts, settling the entire claim process within just 2 weeks of the de-peg event.
InsurAce has since introduced new product offerings to further solidify its status as an industry leader in the DeFi Coverage space.
Stay In Touch, Join the Community >>> InsurAce Linktree.
