CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
Mango Market Incident Anaylsis
11/21/2022
Mango Market Incident Anaylsis

TL;DR

On October 11, 2022 at 6:19 PM EST, Mango Market was attacked, causing a loss of $116M. The attacker was able to manipulate the price of MNGO token and borrowed more assets on the platform than was permitted.

Introduction

Mango Market is built on the Solana blockchain and utilizes Serum DEX for spot margin trading while perpetual futures are traded on Mango Market’s own order book. Mango Market is governed by $MNGO token holders via the Mango DAO.

On October 11, 2022 at 10:19 PM UTC, Mango Markets was hacked by a group of attackers, including Avraham Eisenberg who claimed to be part of the group on Twitter. A loss of $116M occurred after manipulating the value of a posted collateral to higher prices, and then taking out significant loans against the inflated collateral, which ended up draining Mango’s treasury. The attacker began by funding the first account (CQvKSNnY…) with 5M USDC and then offered 483mm units of MNGO perps on the order book. Then the attacker funded the second account (4ND8FVPjU…) which was used to buy the 483mm units of MNFO perps at a price of $0.0382 per unit. As a result, the attacker was able to move the price of MNGO which they increased to $0.91. With this price set for MNGO/USD, the second account was able to borrow other tokens on Mango Market. The attacker subsequently took all available liquidity on Mango, leaving account A with approximately $11,537,729.05 borrowed tokens and account B with 500M uncollectible debt. The price of $MNGO has dropped 47% as a result of the incident.

On October 15, 2022 Eisenberg posted on Twitter that this was a “highly profitable trading strategy” and that it was “legal open market actions, using the protocol as designed.” In his tweet, he claims that the development team failed to anticipate the consequences of the protocol’s parameters.

Funds Returned

The attacker submitted a proposal to send the token back. The wallet receiving funds drained from the protocol offered via a DAO community vote to return a portion of the proceeds less a substantial bounty, if the community promised not to pursue legal action.

On October 15, 2022 Mango’s developers tweeted that they were in the process of getting back $67 million in various cryptoassets and that the team started working on an algorithm to decide on a refund split. Overall, after a proposal in the Mango’s governance forum was approved, Eisenberg was allowed to keep $47 million as a “bug bounty” while $67 million was sent back to the treasury.

Eisenberg was initially linked to the wallet address that carried out the attack via an ENS domain name ponzishorter.eth. An anonymous Discord chat log also showed Eisenberg discussing the precise mechanism of the exploit in advance.

Attack Flow

  1. The attacker funded the first account (Account A) CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX with 5M USDC in this transaction.

yCLZqSqlb7-Hf2yYuiYU G2jMv8eepjekJFu-PIrXllKt7hPtCWRs84WwK8muAYpUGLsylayP1KRNJmn9q2tkq7SoPejZHkYHJxilVvI-e1Em4j2QR5fwM4W0HV j-pGQAA3an5n6A39eU0gI5LBSBSkI7GmAgCCp57XPVlVdE3QqmSfNQitlqzyqEv8UQ

  1. The attacker then offered out 483M units of MNGO perps (short) on the order book

nzDE6qrvdHaGzqUfA4E3ZMpT12-U0aqqYDTeCR9Mx9AP-g5wJ9N3SsiFyGUSe4bdQrDI613p8Fw8uq-X8S5NIKifThXh Dfl9-hmfKAsIDhVy-Qo1QutR01NjxR391Yh9eGORzoDFqKuYd3LHhTrZOSTuMg8YSgjKLcPTUnSCX-7xoWoBXxPnCI83j9E1g

  1. The attacker funded the second account (Account B) 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa

vWVtS8opBsjRu9o7yYmQO iwHpBE44aLIVY0x6C6BEcpF4agh-fvjPRZIRVRtoQu5rPoUQLqfRW-PtWyQvMd0lnm72AbknG5YxZZs42eY2r0krifoxQRtzXFo6DS6-n- DWs4Xs7BCp7V7cj 9RJeX3kks36GrdQDiuWZ2fwUzxbHxdLv yDJwEUOY3L7g

  1. Then the second account was used to buy 483M units of MNGO perps (long), at a price of $0.0382 per unit.

  2. The attacker started to move the spot price of MNGO, and increased it to $0.91

WGkjkHPQynhunrf6dDRsrk2ZNzt9JlJ-j5vzyBnmuyQMZ2C8PvPNmeDR6d eLcpEHe9UJRQqaMU4QmqhScD2AbBzZjrAA3yJ3dBVua-OcgS 5htbAhl2aSDYVqLI5f5MlHk7gA7iNS2kZNcu6Nhl3KQp89-nq92nnLOwRDuCjf9G jUKCZj4nDTSe8Psmg

  1. With MNGO/USD price of $0.91 per unit, account B was able to borrow other tokens on Mango Market. The attacker also used the funds in account B (the original deposit + the funds for selling borrowed MNGO) to borrow other tokens on Mango Market.

  2. The above borrow behaviors leave account A with a total value of $11,306,771.61 uncollectible debt and account B with -$115,182,674.43 bad debt.

Addresses

Two accounts were used to conduct the attack.

Account “A” received 5M USDC collateral which offered out 483mm units of MNGO perps: CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX

Account “B,” the trader, used another 5 million USDC to buy the same amount of MNGO, using 10 million USDC in total to effectively hedge his position: 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa

Profit and Assets Tracing

Solana.FM🔮🔎 SolanaFM SolanaFM

Account A: i1N925 CpTi9Mn7Kq3yJgbcJUOwqdcOvUgaK218DAOiuIPYYZz-Y3Q2Lo xly0d3CxWSVM4Wy0e91vL0cwYmxjCFKtusF8JkCF-9nxVEiDFij1P0AFVuYtm-sSPBHiJlflnyCuXVcEOyovi27A36LC6kYzsJQgzTOQ8YWUcuE9loKgMJ7aOTp i3byUVMg

Account B: Acct B

Conclusion

Overall, the attackers executed a self-funded economic attack by manipulating the oracle price of MNGO. Since the attack, a debate has been sparked on Twitter as to whether those responsible could be subject to civil or even criminal liability. So far, there are few precedents for prosecuting this type of DeFi market manipulation. This case has some similarities to the Indexed Finance exploit that took place in December 2021. The founders of the protocol identified the attacker, and a lawsuit is still pending in Canadian courts. Following these events, Mango Markets has announced a new version dubbed 'v4' which will use the Serum Community Fork. Despite serious setback, the project appears hopeful in securing a place in the future of web3.