The Mango Markets exploit: Overview and Key Takeaways

In October this year, a clever individual with lots of money and his cohorts hit Mango Markets where it hurts. Notice how everybody calls the incident an exploit. It wasn’t a hack, the code remains untouched and performed as it was supposed to. The attackers didn’t steal information or private keys. One of the persons responsible doxxed himself and claimed they played by the book and the Mango Markets exploit was in fact a “highly profitable trading strategy.” The statement proved to be highly controversial, but he might have a point, taking into account how everything ended.

This case has everything. It brings into question the robustness of oracles – those services that provide smart contracts with data about the real world. It brings into light how low-liquidity tokens carry the potential for market manipulation, and how dangerous that can be. It also brings forth questions about the exploiters’ ethics. The group might’ve been wrong for what they did, but they seemingly didn’t break the law at any point. Or did they?

The Solana-based Mango Markets trading system warns users from the get-go, “Mango Markets is unaudited software. Use at your own risk.” And it urges people to acknowledge that they “understand and accept the risks.” Currently posted is the message: “Mango v3 suffered an exploit October 2022 and is not functional.” It sends previous users to this site to redeem their coins. “Claim your lost tokens as approved by the DAO vote. If you have more than one Mango Account for your connected wallet the recovery amounts are combined,” the site says.

‍

Overview of the Mango Markets exploit

On October 11th, an alleged team of people deployed $10 million in collateral in the Mango Markets ecosystem. Then, they used between $2 and $3 million to manipulate the spot market in several exchanges and pump up the price of the ecosystem’s native token, the MNGO. Then, instead of cashing out, they used those unrealized gains as collateral to borrow other tokens from the Mango treasury.

Security firm OtterSec analyzed the case and further explained, “The attacker created a ~480M MNGO-PERP position and countertraded themself on another account. They then manipulated the price of MNGO up across a number of exchanges.” Considering all of those exchanges use draconian KYC procedures, this signals that the attackers were pretty sure they weren’t breaking the law. According to OtterSec, they took out $116 million in loans and left the Mango treasury with a $116.7 million hole.

Eventually, when MNGO returned to its real price, the loans were undercollateralized and the exploiters were long gone… until one of them, Avraham Eisenberg came forward and claimed: “all of our actions were legal open market actions, using the protocol as designed.” Then, Eisenberg took it a step further and used all of those tokens governance power to file a proposal to the Mango Markets DAO. He asked for them to allow him to keep $70 million and promise to not pursue legal action.

The original proposal didn’t pass, and that page's comments were filled with insults and accusations. Eisenberg kept negotiating with the DAO and eventually both parties settled on letting him keep a $47 million bounty while returning $67 million to Mango Markets. They will use those funds to make users whole. That proposal passed with 98% of the votes. So, it’s official: Mango Markets will not pursue criminal charges or freeze the attackers’ funds.

Eisenberg and crew got away with it.

‍

Quotes by the story’s main characters

• On October 12th, Daffy Durairaj, Mango Labs CEO tweeted: “To everyone worried about their deposits on Mango: I will do everything in my power to recover your funds.”
• The Mango Markets Twitter account said what we’ve all been thinking on that same day. “We want to clarify and add mention here that neither oracle providers have any fault here. The oracle price reporting worked as it should have.” As a side note, they used Pyth Network, which doesn’t use real-time prices but aggregate prices. That’s the vulnerability that the attackers targeted. 
• On October 15th, the controversial Avraham Eisenberg tweeted: “I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.
  Unfortunately, the exchange this took place on, Mango Markets, became insolvent as a result, with the insurance fund being insufficient to cover all liquidations. This led to other users being unable to access their funds.”
• That same day, the Mango Markets Twitter account announced, “$67M in various crypto assets have been returned to the DAO. Let’s meet up on Monday 3 PM UTC on the Mango discord to discuss, how we can sort out this mess. A bunch of developers already took charge and started working on an algorithm to decide on a refund split.”

‍

What did the Mango Markets exploit require?

To explain the complexity of the attack and its underlying causes, we’ll need Mango Markets’ insider Austerity Sucks’ thoughts on the matter. We’ll also need to explain how the system worked. In a nutshell, users were promised yield. To be eligible to do that, they had to deposit their assets in a collective lending pool. Other users could borrow from that treasury and the interest earned was the yield. Besides that, “there is a perpetual futures market, which is a zero sum game, for multiple pairs. This creates an experience where you can do spot-margin trading and futures trading in one account, cross-margined.”

So, according to Austerity Sucks, the Mango Markets exploit required significant capital as well as:

• “Wash trading:” The attackers “built up a 480 Million unit MNGO-PERP position between his own accounts.” As the blog post explains, that could’ve been easily prevented, “an OI limit should have been in place to limit the damage that could be done on an illiquid market.” 
• “Manipulating off-chain KYC-requiring Centralised Exchanges:” The exploiters were pretty confident to even try to pull this off through KYC’d exchanges. 
• “Dumb” Oracles:” The MNGO token went up in price 10x in one minute, the oracle should be able to see through that. If the service can’t guarantee “cleansing or quality assurance,” then “it’s on the Exchange / venue to be adding these additional constraints.”
• “Withdrawing against UPL:” In the trade, the unrealised profit or UPL of over $100M was used to borrow assets from the Mango Markets treasury. According to Austerity Sucks, “the attack relies on UPL being treated free and clear as collateral to support borrowing and pulling assets off the protocol.”

After explaining all of this, the blog post explains its version of what happened. The protocol started supporting blue chip cryptocurrencies like “BTC, ETH, SOL where there's a robust global market of dozens of venues supporting liquidity.” With those, it worked perfectly, but the community voted for adding lesser-quality assets. Austerity Sucks doesn’t mince words describing the situation, it “really started around September 2021, when there was populist desire in the DAO and Solana community in general to support trash tokens that had low market quality.”

According to the Mango Markets insider, the move signaled “the beginning of a shift for the DAO towards a willingness to allow for more risk.” And now, we’re living in that situation’s aftermath. 

‍

Curious facts about the Mango Markets exploit 

• The whole operation only took half an hour to complete.
• The sudden surge in MNGO prices generated over 4000 short liquidations across the Mango Markets ecosystem. 
• After the exploit, the total value locked across the Solana DeFi ecosystem dropped by 23%.
• A few days later, fearing a similar fate, DeFi lending protocol Compound halted support for four medium-sized tokens. The thing is, those tokens' market capitalization isn’t even that low. The delisted assets were: Basic Attention Token (BAT), the native governance and staking token of 0x (ZRX), Maker (MKR), and yearn.finance (YFI).
• The attacker allegedly faked an attack on Curve to try to exploit Aave, but he failed. He sent CVR’s price from around $0.6 to $0.4, though.
• In a copycat case, another group of attackers went after Lodestar Finance and drained the protocol’s funds using similar methods.

‍

Mango Markets after the FTX collapse

When industry giant FTX fell, it significantly shook Solana’s ground. Sam Bankman-Fried was one of the blockchain’s biggest supporters and his ventures were deeply tied to the ecosystem. One of those was soBTC, Solana’s version of a wrapped Bitcoin. As it turns out, FTX was the real BTC custodian. And, as it came out in the legal documents, the company didn’t own any bitcoin. 

Taking that into account, Mango Markets CEO Daffy Durairaj tweeted, “If you have assets in http://v2.mango.markets, I recommend you withdraw them. I can't verify the solvency of sollet wrapped tokens which are affiliated with FTX. So far, I've been able to use FTX US to deposit soBTC and withdraw real BTC, but can't guarantee this will continue.” Then, he further explained, “soBTC is the main wrapped BTC on Solana. We launched mango v2 back in June 2021 under the assumption we'd get better decentralized options for wrapped BTC on Solana later. Not possible to change the asset on v2 after it's been deployed.”

So, Sam Bankman-Fried’s sins have reached this far into the crypto sphere. Undoubtedly, the crypto market is flushing out everything that didn’t work and will come out stronger on the other side. 

We wouldn’t give you financial advice even if you asked, but in this house, we keep everything in rock-solid assets like BTC, ETH, and PAXG. That’s the core idea behind both Tetraguard and our longterm investment strategy.