Blockchain & Cryptocurrency, Cryptocurrency Fraud, Fraud Management and Cybercrime
96% of voting tokens approve deal; Mango Markets will not pursue criminal charges
Prajeet Nair (@prajeetspeaks) •
October 15, 2022
Decentralized financial exchange Mango Markets will pay a $47 million bounty on the hacker who stole $117 million worth of digital assets on Wednesday.
See also: Building Secure IoT Deployment with 5G Wireless WAN
Mango Markets is a trading platform built on the Solana blockchain. The platform halted operations to halt all deposits and withdrawals to limit the impact of the attack.
As part of a new deal between the hacker and the decentralized finance exchange, the hacker will keep $47 million as a bug bounty and return the remaining $67 million stolen via the protocol.
The hacker originally put forward his proposal about the decentralized autonomous organization governing Mango Markets, which would give the attacker a $70 million bounty.
The Mango DAO governs Mango Markets and gives MNGO token holders the authority to make decisions about the platform’s functions.
The attacker also demanded that the decentralized finance company should not open a criminal investigation or freeze the hacker’s funds if the proposal goes through.
The voting deadline was Saturday at 1:12 a.m. UTC. With 96% of the governance vote voting yes for the deal, which includes around 473 million tokens, while only 3.4% opposed the deal.
The hackers allegedly voted for this proposal as well, using millions of tokens stolen from the exploit.
“Funds transferred by you and the Mango DAO treasury will be used to cover any remaining bad debts in the log. All Mango depositors will be made complete,” read the governance vote.
The deal also requires hackers to return some of the tokens within 12 hours of the proposal being opened “as a sign of good faith” and return the remaining assets within 12 hours once voting is complete and the deal is accepted.
In response to the update, the CEO of cryptocurrency trading company Wintermute responded on Twitter says that “this result feels so wrong”. He says: “I understand the Mango community and why the protocol wants to go ahead and close this page, but this outcome feels so wrong. Can we really fund a DAO to (legally) take this guy down independently?”
According to one voter on the forum, the deal is “an absurdly high bounty for such a lowly attack,” while another voter said, “We should give him less bounty because he’s a criminal who’s in no position to negotiate anymore.” . He will be convicted and arrested – don’t give him ±$50 million! 25 million total is more than enough. Reduce it by 50%.”
According to blockchain security firm OtterSec, which identified the attack, the attacker manipulated the MNGO token’s price oracle data to take out “massive” undercollateralized crypto loans from Mango’s treasury.
An oracle is a tool that feeds relevant off-chain data onto the blockchain so that smart contracts can be used. A price oracle shows the price information for a digital asset. “None of the Oracle vendors have a fault here. Oracle pricing reporting worked as it should have,” the company said.
The vulnerability arose from the low liquidity in the forex market between MNGO and the USDC stablecoin, which was used as a price reference for a MNGO perpetual swap.