How low liquidity led to Mango Markets losing over $116 million

It would seem that the hackers used an “oracle price manipulation” tactic in the exploit on the Solana-based DeFi network, as indicated by a tweet sent by the official account for the Mango cryptocurrency exchange.

In mid-October, traders took advantage of a vulnerability in the decentralized finance (DeFi) trading platform Mango Markets and stole more than $110 million worth of cryptocurrencies off the network.

We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation.

We are taking steps to have third parties freeze funds in flight. 1/

— Mango (@mangomarkets) October 11, 2022

A further thread on Twitter provided a detailed breakdown of how the incident transpired. The attacker began their mission by funding an account on the site with USD Coin for $5 million, which were used to purchase 483 unites of perpetual contracts in Mango (MNGO) token, the platform’s native cryptocurrency.

The attacker used this technique to drive up the price of MNGO from $0.03 to $0.91, increasing the value of their MNGO holdings to $423 million.

The funds were then used to acquire a loan for $116 million using several tokens on the platform, such as Bitcoin and Serum (SRM). Unfortunately, the loan eliminated all of the liquidity in Mango Markets, which resulted in a steep drop in the price of MNGO to $0.02.

The development team for Mango Markets subsequently said that it is looking into what occurred and has initiated an inquiry into it. The protocol made the news available to its users over its different social media outlets, stating that it has temporarily halted deposits while it conducts more research. Additionally, the team informed users that they should refrain from depositing cash into the site before they disable the ability to do so.

How Mango Markets was exploited

The attacker was able to manipulate the MNGO token price, driving it up 30 times in such a short amount of time, by taking out enormous perpetual contracts. An attacker can pull this off by taking advantage of limited market liquidity to artificially inflate a token’s price by making huge purchase orders to push the price and then use new investors as exit liquidity to cash out. This is the same strategy that is employed in pump-and-dump scams.

However, this kind of exploit is difficult to carry out when there is a very large quantity of liquidity since the amount of cash required to manipulate the price would be much higher. Since new or relatively unknown tokens often have extremely little liquidity, pump-and-dump schemes are more common with such tokens.

Mango Markets would have been able to protect itself from this exploit if it had enough liquidity. The use of an automated market maker (AMM) is one strategy that Mango Markets may have utilized to boost its level of liquidity. Automated market makers are computer programs that decide the price of a token by collecting liquidity from users and employing various mathematical formulas.

Ben Roth, co-founder and chief information officer of Auros — an algorithmic market-making firm — told Cointelegraph:

“Adverse trading behavior is a by-product of illiquid market conditions. Therefore, when ‘bad actors’ are able to construct an attack vector that has a high degree of certainty due to low liquidity, the incentive to undertake these sorts of ‘exploits’ rises.”

“When working with an algorithmic market-maker, token issuers simultaneously disincentivize this adverse behavior while building confidence in the consistency of liquidity during a variety of market conditions,” he added.

Large tokenholders, also known as liquidity providers (LPs), are responsible for the operation of AMMs. LPs are responsible for introducing equal quantities of token pairings (such as MNGO/USDC) into pools. This makes it possible for decentralized exchanges to outsource their liquidity while still providing the LPs with compensation in the form of a share of the trading fees collected on the platform.

After the exploit

One day after the exploit on Mango Markets, the perpetrator made a suggestion via the decentralized autonomous organization (DAO) that was part of the platform. The attacker suggested that the Mango DAO pay off any outstanding debts with its $70 million treasury instead of using the attacker’s funds.

The deal stated that the Mango DAO team should use the funds from their treasury to make up for any outstanding financial obligations. After that, the cybercriminal would send the stolen tokens to an address provided by the group responsible for the Mango DAO.

By voting with millions of tokens taken during the exploit, the hacker appeared to support this idea, which is another kind of manipulation. Additionally, the perpetrator of the incident asked that no criminal proceedings be opened against them if the petition was approved.

Eventually, the Mango Markets community agreed to let the attacker keep a large portion of the tokens as a “bug bounty.” The terms are part of a deal that will see the return of $67 million worth of stolen tokens, with the attacker keeping the remaining $47 million out of the $117 million taken.

The deal was reached via a vote in the Mango DAO, with 98% of voters (or 291 million tokens) voting in favor. The proposal included Mango Markets not pursuing legal charges against the hacker.

Attacker reveals their identity

The attacker behind the exploit later came forward to reveal their identity. Avraham Eisenberg announced on Twitter that he was “involved with a team that operated a highly profitable trading strategy last week,” i.e., those responsible for the $100 million attack perpetrated on Mango Markets.

Eisenberg continued to say, “I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.”

He pointed out that as a consequence of the exploit, Mango Markets fell bankrupt, and he also said that the insurance money was not enough to pay all the liquidations that occurred. Because of this, more than one hundred million dollars worth of user cash was lost.

However, Eisenberg claimed that he “helped negotiate a settlement agreement with the insurance fund,” to make all users whole again while recapitalizing the exchange. Eisenberg finished his Twitter thread by saying, “As a result of this agreement, once the Mango team finishes processing, all users will be able to access their deposits in full with no loss of funds.”

Eisenberg continues to claim that his actions were legal, being similar to automatic deleveraging on cryptocurrency exchanges. Automatic deleveraging is a process where exchanges use a portion of the profits earned from successful traders to cover losses due to other traders that have been liquidated.

However, Michael Bacina, partner at Australian law firm Piper Alderman, previously told Cointelegraph, “If this had occurred in a regulated financial market, it would be likely seen as market manipulation.”

While users could still theoretically pursue legal action against Eisenberg, Bacina said it is not commercially viable, stating:

“Assuming claims survive the proposal, any claims would still need to be reduced by any amounts which had been received by a member as a result of the proposal, which may mean many members have limited commercial incentive to sue Mr. Eisenberg.”

Going ahead, it will be interesting to see how DeFi protocols can better secure their protocols, either with AMMs to stop these types of exploits in the first place or through subsequent legal action.