Crypto Attack Swipes $100 Million From DeFi Service Mango; This Is How It Was Done

An attacker spirited away about $100 million from decentralized finance provider Mango by manipulating the price of its token in an exploit that wiped out depositors on the crypto platform.

The heist began with two accounts funded with the stablecoin USD Coin, the platform said Wednesday on Twitter. The accounts took large positions in Mango perpetual futures, causing the price of the Mango token to spike.

The price jump stoked an unrealized profit from the futures. The attacker used that to borrow and withdraw roughly a net $100 million from the protocol in a range of tokens -- leaving depositors with nothing, according to Mango.

“This incident has effectively resulted in a total draining of all equity available,” the platform said on Twitter, adding the attackers are communicating with Mango and “indicating a willingness to negotiate.”

The exploit, which follows a spate of multimillion-dollar hacks of DeFi protocols in past months, sheds light on some of the security weaknesses of decentralized exchanges. At so-called DEXs, software essentially enables crypto traders to transact directly with each other without an intermediary.

This differs from centralized exchanges -- CEXs in industry argot -- which are run by a central entity that has custody of user funds.

“Despite their potential, DEXs are still immature in terms of their evolution and come with their own set of security risks,” said Hirander Misra, chief executive of GMEX Group. “There are over a hundred public blockchains, each with their own ways of doing things, meaning no effective agreed standards and given their decentralized nature, no regulation and investor protection.”

The Mango incident is “a price manipulation attack” that took advantage of the ability to leverage up positions on the platform, according to BlockSec, a company specializing in crypto security.

The perpetrator has posted a proposal on Mango's governance page that appears to raise the possibility of returning some of the money in return for a bounty. Other conditions include using the service's treasury to pay off bad debt and not pursuing criminal probes or freezing funds.

Pump and Dump

Mango, which operates on the Solana blockchain, is a decentralized crypto exchange that offers users the ability to make spot trades and loans.

It disabled deposits and said it believes the most constructive thing to do is to communicate with those responsible in an “attempt to resolve the issues amicably.”

Data from tracker CoinGecko shows that in the past 24 hours the price of the Mango token at one point shot up to about 9 US cents from 4 US cents before sinking to about 2 US cents.

Some $2 billion has been lost in crypto security incidents this year, many perpetrated by North Korea-linked groups, according to blockchain analysis firm Chainalysis.

Just last week, 2 million Binance Coins -- equivalent to nearly $570 million -- were effectively minted and taken by a hacker. About $100 million wasn't recovered, while the rest was frozen, according to a Binance statement.