Solana’s ecosystem saw another hack this week when Mango DAO was hit by a $100M exploit. Mango Markets is a Solana-based swap and lending protocol. However, the Mango hacker is doxxed and he negotiated ransoms with the Mango Market DAO to keep $50 million as a ‘bounty’.
Allegedly, the hacker was displeased with the “bad debt” that came from the whale bailout on the Solend platform in June. Then in a new twist, the hacker proposed a solution to the hack through the DAO’s governance system, and used his hacked coins to vote in favor of the proposal.
In the end, it appears the hacker will get to keep around $47 million as a bug bounty for returning the rest of the funds. As part of the deal, no criminal charges will be filed against the hacker.
Mango Markets Hacked for $100 Million
On October 11, Mango Markets DAO was exploited for over $100 million. The exploit was done through an ‘oracle price manipulation’ attack. This is a form of attack that has been used in other exploits.
Decentralized Apps (DApps) rely on oracles to pull in on-chain data. If a hacker is able to manipulate the oracle data it can trigger actions from smart contracts.
The hacker was able to manipulate the price on centralized exchanges that the oracle was relying on. The hacker used $10 million in Mango perpetual contracts he opened on the Mango Markets platform plus another $3 million to pump the price on the illiquid spot markets.
Mango’s native token ($MNGO) spiked over 300% in 10 mins on an FTX exchange then dropped almost 90%. The hacker saw his position on Mango reach over $400 million and used this inflated value as collateral. He took out a massive $112.2 million loan from Mango’s Treasury.
The Mango hacker was able to drain funds from the platform and winded up with a big payday. And the story took a strange turn from here as the hacker doxxed himself and shenanigans ensued.
Mango Hacker Self-Doxxes
The Mango hacker is Avraham Eisenberg. Eisenberg isn’t a first time exploiter as he previously scammed Fortress DAO out of $14 million before giving half back. Presumably he used some of that $7 million windfall to pull of the bigger exploit on Mango.
Eisenberg sent some of the exploited funds from the hacker’s wallet to his doxxed eth address, ponzishorter.eth. Twitter sleuths connected the token transaction back to Eisenberg.
After his name was attached to the Eth address and he was linked to similar attacks in the past, he made a public twitter statement on the events. His statement reads as white hat, but leaks of him bragging in hacker discords show he is anything but a good guy here.
Eisenberg also made a proposal on the Mango governance site using his exploited mango tokens to vote in favor of it. The proposal reached quorum to pass on October 14th. Eisenberg is returning around half of the funds and keeping half as a ‘bug bounty’. Additionally the DAO is going to pay off bad debt from the Solend drama. Lastly they won’t pursue criminal charges or freeze funds.
The directions from the DAO to the hacker were:
“Within 12 hours of the proposal opening, you shall send back the assets other than USDC, MSOL, MNGO, and SOL as a show of good faith. The remaining assets shall be sent within 12 hours once the vote is complete and passes.
The funds sent by you and the Mango DAO treasury will be used to cover any remaining bad debt in the protocol. All Mango depositors will be made whole.
By voting for this proposal, Mango token holders agree to pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above.”
DAO Governance Legal Binding
The part of the story that is yet to be concluded, is if a DAO being held for ransom, can absolve a malicious actor of criminal charges. The Decentralized Autonomous Organization (DAO) may have voted to not press charges, but is any of this hold up in court?
For one, you can’t enter into a contract under ransom. There is nothing preventing a DAO from agreeing to not press charges to get their assets back, and then pressing charges after.
Second, it is unclear if a DAO vote is binding for all members of the DAO, or if the members who voted against the proposal are still able to pursue legal actions.
Additionally, over 4,000 wallets were liquidated during the price manipulation of the oracle. These customers are currently out of luck with their money being lost.
Solana’s Woes Continue
Solana has continued to have a rough time. From network outages, to hacks and exploits, and even the confiscation of a whales wallet have plagued the ‘Eth Killer’. We even found out that 3/4 of all Solana’s value was created by 1 dev under a dozen of alter-egos. We have previously covered:
- Solend allowing 1% of users to vote to confiscate a whale’s wallet in June
- Entire Solana Blockchain Halted for 8th time in June
- Flash loan attack on Crema Finance in July
- 75% of all Solana TVL created by 1 Dev and his 12 alts in August
- Exploit due to a Solana Hot Wallet in August
Solana has continued to be faced with troubles even before this very large & interesting hack of Mango Markets DAO.
Wrap-up Mango Hack
Hacks are nothing new. This Mango hack had a few new wrinkles. First, the nearly $50 million ‘bug bounty’ is by far the largest bounty that has been paid.
Secondly, there continues to be a trend of hackers using the governance proposal of DAOs as a way to further manipulate the protocol. At some point, there will need to be an improvement over coin ownership for some of these smaller DAOs. It allows for a small group of large wallets to control all of the DAO.
Third, this continues to show the importance of good oracles. Oracle manipulation is an often used avenue of attack.
And lastly, as the exploits get bigger, it will be interesting to see when and how criminal charges are pursued.
At the end of the day, this is another black mark on Solana’s ecosystem.