Crypto attack swipes US$100m from DeFi service Mango

AN attacker spirited away about US$100 million from decentralised finance provider Mango by manipulating the price of its token in an exploit that wiped out depositors on the crypto platform.

The heist began with two accounts funded with the stablecoin USD Coin, the platform said on Wednesday (Oct 12) on Twitter. The accounts took large positions in Mango perpetual futures, causing the price of the Mango token to spike.

The price jump stoked an unrealised profit from the futures. The attacker used that to borrow and withdraw roughly a net US$100 million from the protocol in a range of tokens - leaving depositors with nothing, according to Mango.

“This incident has effectively resulted in a total draining of all equity available,” the platform said on Twitter, adding the attackers are communicating with Mango and “indicating a willingness to negotiate.”

The exploit, which follows a spate of multimillion-US dollar hacks of DeFi protocols in past months, sheds light on some of the security weaknesses of decentralised exchanges. At so-called DEXs, software essentially enables crypto traders to transact directly with each other without an intermediary.

This differs from centralised exchanges - CEXs in industry argot - which are run by a central entity that has custody of user funds.

“Despite their potential, DEXs are still immature in terms of their evolution and come with their own set of security risks,” said Hirander Misra, chief executive of GMEX Group. “There are over a hundred public blockchains, each with their own ways of doing things, meaning no effective agreed standards and given their decentralised nature, no regulation and investor protection.”

The Mango incident is “a price manipulation attack” that took advantage of the ability to leverage up positions on the platform, according to BlockSec, a company specialising in crypto security.

The perpetrator has posted a proposal on Mango’s governance page that appears to raise the possibility of returning some of the money in return for a bounty. Other conditions include using the service’s treasury to pay off bad debt and not pursuing criminal probes or freezing funds.

Mango, which operates on the Solana blockchain, is a decentralised crypto exchange that offers users the ability to make spot trades and loans.

It disabled deposits and said it believes the most constructive thing to do is to communicate with those responsible in an “attempt to resolve the issues amicably.”

Data from tracker CoinGecko shows that in the past 24 hours the price of the Mango token at one point shot up to about 9 US cents from 4 US cents before sinking to about 2 US cents.

Some US$2 billion has been lost in crypto security incidents this year, many perpetrated by North Korea-linked groups, according to blockchain analysis firm Chainalysis.

Just last week, two million Binance Coins - equivalent to nearly US$570 million - were effectively minted and taken by a hacker. About US$100 million wasn’t recovered, while the rest was frozen, according to a Binance statement. BLOOMBERG