A $100M Mango Hack Plagues Solana

Solana’s ecosystem saw another hack this week when Mango DAO was hit by a $100M exploit. Mango Markets is a Solana-based swap and lending protocol. However, the Mango hacker is doxxed and he negotiated ransoms with the Mango Market DAO to keep $50 million as a ‘bounty’.

Allegedly, the hacker was displeased with the “bad debt” that came from the whale bailout on the Solend platform in June. Then in a new twist, the hacker proposed a solution to the hack through the DAO’s governance system, and used his hacked coins to vote in favor of the proposal.

In the end, it appears the hacker will get to keep around $47 million as a bug bounty for returning the rest of the funds. As part of the deal, no criminal charges will be filed against the hacker.

Mango Markets Hacked for $100 Million

On October 11, Mango Markets DAO was exploited for over $100 million. The exploit was done through an ‘oracle price manipulation’ attack. This is a form of attack that has been used in other exploits.

Decentralized Apps (DApps) rely on oracles to pull in on-chain data. If a hacker is able to manipulate the oracle data it can trigger actions from smart contracts.

The hacker was able to manipulate the price on centralized exchanges that the oracle was relying on. The hacker used $10 million in Mango perpetual contracts he opened on the Mango Markets platform plus another $3 million to pump the price on the illiquid spot markets.

Mango’s native token ($MNGO) spiked over 300% in 10 mins on an FTX exchange then dropped almost 90%. The hacker saw his position on Mango reach over $400 million and used this inflated value as collateral. He took out a massive $112.2 million loan from Mango’s Treasury.

The Mango hacker was able to drain funds from the platform and winded up with a big payday. And the story took a strange turn from here as the hacker doxxed himself and shenanigans ensued.

Mango Hacker Self-Doxxes

The Mango hacker is Avraham Eisenberg. Eisenberg isn’t a first time exploiter as he previously scammed Fortress DAO out of $14 million before giving half back. Presumably he used some of that $7 million windfall to pull of the bigger exploit on Mango.

Eisenberg sent some of the exploited funds from the hacker’s wallet to his doxxed eth address, ponzishorter.eth. Twitter sleuths connected the token transaction back to Eisenberg.

After his name was attached to the Eth address and he was linked to similar attacks in the past, he made a public twitter statement on the events. His statement reads as white hat, but leaks of him bragging in hacker discords show he is anything but a good guy here.

Eisenberg also made a proposal on the Mango governance site using his exploited mango tokens to vote in favor of it. The proposal reached quorum to pass on October 14th. Eisenberg is returning around half of the funds and keeping half as a ‘bug bounty’. Additionally the DAO is going to pay off bad debt from the Solend drama. Lastly they won’t pursue criminal charges or freeze funds.

The directions from the DAO to the hacker were:

“Within 12 hours of the proposal opening, you shall send back the assets other than USDC, MSOL, MNGO, and SOL as a show of good faith. The remaining assets shall be sent within 12 hours once the vote is complete and passes.

The funds sent by you and the Mango DAO treasury will be used to cover any remaining bad debt in the protocol. All Mango depositors will be made whole.

By voting for this proposal, Mango token holders agree to pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above.”

DAO Governance Legal Binding

The part of the story that is yet to be concluded, is if a DAO being held for ransom, can absolve a malicious actor of criminal charges. The Decentralized Autonomous Organization (DAO) may have voted to not press charges, but is any of this hold up in court?

For one, you can’t enter into a contract under ransom. There is nothing preventing a DAO from agreeing to not press charges to get their assets back, and then pressing charges after.

Second, it is unclear if a DAO vote is binding for all members of the DAO, or if the members who voted against the proposal are still able to pursue legal actions.

Additionally, over 4,000 wallets were liquidated during the price manipulation of the oracle. These customers are currently out of luck with their money being lost.

Solana’s Woes Continue

Solana has continued to have a rough time. From network outages, to hacks and exploits, and even the confiscation of a whales wallet have plagued the ‘Eth Killer’. We even found out that 3/4 of all Solana’s value was created by 1 dev under a dozen of alter-egos. We have previously covered:

Solana has continued to be faced with troubles even before this very large & interesting hack of Mango Markets DAO.

Wrap-up Mango Hack

Hacks are nothing new. This Mango hack had a few new wrinkles. First, the nearly $50 million ‘bug bounty’ is by far the largest bounty that has been paid.

Secondly, there continues to be a trend of hackers using the governance proposal of DAOs as a way to further manipulate the protocol. At some point, there will need to be an improvement over coin ownership for some of these smaller DAOs. It allows for a small group of large wallets to control all of the DAO.

Third, this continues to show the importance of good oracles. Oracle manipulation is an often used avenue of attack.

And lastly, as the exploits get bigger, it will be interesting to see when and how criminal charges are pursued.

At the end of the day, this is another black mark on Solana’s ecosystem.

Photo of author

Written By BowTied Effer

Finance, Fitness, Family, and Fixing Bad Advice from a Father


This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.

The Jungle

Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

The Culture War with BowTiedRanger

Whether you’re a political junkie or just interested in current events. 

You’ve come to the right place for analysis of the most relevant current events and political issues.

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn How to Sell with BowTiedSalesGuy

Sales is one of the most transferrable life skills, yet few know how to actually sell.

Traditional sales tactics don’t cut it in today’s hyper competitive world.

Learn the secrets from a Chad Salesman and change your Life forever.

Ecommerce with BowTiedOpossum

Learn the skills to start and build your first online business.

Want to build a business that travels with you?

Learn from an industry veteran that has worked on and with brands you already know.