Solana-Based Decentralized Finance Platform Mango Has Been Hacked For $100 Million

The Solana blockchain-based decentralized finance platform Mango has been exploited for over $100 million.
Blockchain auditors OtterSec first posted about the hack on Twitter, claiming that “the attacker was able to alter their Mango collateral.”

It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022

Attackers Inflated Mango’s Token

According to OtterSec’s Robert Chen, the attackers inflated the value of Mango’s token (MGNO) and used that to take huge loans.

“The [MGNO] governance token was valued for far more than it should be. With that, [the attacker] was able to take out large loans against it and then drain Mango’s [liquidity] pools. It’s like a lending-borrowing race: if you have overvalued collateral, you can then borrow against that collateral, and that’s what they did.”

Although there are currently a number of suggestions flying around on Twitter proposing how the theft could’ve been pulled off, according to Chen, it is still unknown exactly how the attacker was able to increase MNGO’s worth in the eyes of the Mango protocol.

In a Tweet posted on Tuesday, Mango acknowledged the vulnerability and said it was “investigating an incident where a hacker was able to drain funds from Mango via an oracle pricing manipulation.”

We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation.

We are taking steps to have third parties freeze funds in flight. 1/
— Mango (@mangomarkets) October 11, 2022

Hacker Addresses have been Quarantined

As of publication, the drained funds were still there on the Solana blockchain. Offending addresses have been blacklisted in similar circumstances by centralized exchanges like Coinbase, Binance, and Kraken, the only organizations with the liquidity for someone to cash out amounts this high.

As a precaution, Mango said in its original statement that it was “disabling deposits on the front end” and “taking efforts to have third parties freeze monies in flight.”

Users can make spot transactions and loans on the decentralized Mango cryptocurrency exchange, which runs on the Solana blockchain. According to price information from CoinMarketCap, the value of Mango’s MNGO token fell over 42% in the previous day due to concerns that the platform may have been abused.

Tuesday’s hack, which followed last week’s $80 million hack of Binance’s BNB blockchain, was the second significant decentralized financial attack in less than a week.