The second $100 million DeFi hack this week saw $100 million in funds drained from Mango Markets due to an exploit. Mango Markets tweeted Tuesday night that a hacker was able to drain funds from Mango through oracle price manipulation.
Just last Thursday, $100 million was stolen from Binance Smart Chain, another DeFi protocol.
According to blockchain audit website OtterSec, the attacker temporarily boosted the value of their collateral and then borrowed from the Mango treasury.
Mango Markets is a Solana-based digital asset trading platform on the Solana blockchain for spot margin and perpetual futures trading. Mango Markets is managed by Mango DAO.
“This is an economic design flaw,” said OtterSec founder Robert Chen decrypt via telegram, adding that this is a risk that Mango Markets has already acknowledged.
It appears that the attacker was able to manipulate their Mango collateral. They temporarily boosted their collateral value and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
“At 18:19 ET an attacker funded Account A with 5mm USDC collateral,” tweeted Head of Derivatives at Genesis Global Trading, Joshua Lim.
As Lim explained, the attacker then offered 483 million units of MNGO perps (perpetual contracts) on the Mango Markets order book. Then at 18:24 ET the attacker funded another account with 5 million USDC of collateral to buy those 483 million units from MNGO offenders at $0.03 per unit.
At 18:26 ET, the attacker began moving Mango’s spot market price, driving the price to $0.91 and the value of the 483 million MNGO to $423 million.
The attacker then borrowed $116 million, leaving Mango’s treasury with a negative balance of -116.7 million. Assets withdrawn include USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO, wiping out all of Mango’s liquidity.