News

Solana-based DeFi Platform Mango Loses $100 Million In Hack

Adekunle Joshua

In the space of one week, the BNB chain powering the Binance exchange and Mango, Solana-based Decentralized finance (DeFi) protocol, were hacked, leading to the loss of millions of digital assets.

The Mango protocol hack, being the latest, is estimated to have caused damages up to $100 million. The news went viral when the DeFi platform tweeted that "it is currently investigating an incident where a hacker was able to drain funds from Mango via an "oracle price manipulation." 

What Is Oracle Price Manipulation

Experts consider Oracle Price manipulation as the most common exploit in Decentralized finance. Hackers exploit the vulnerability of the oracle smart contract, and when they succeed, the system fails or malfunctions. During this period, the hackers engage in whatever fraudulent act pleases them. 

Since Oracle provides real-life data, such as price feeds to blockchain protocols, hackers target these price feeds and manipulate them to steal funds from users' wallets. As of 2020, a report showed that DeFi protocols lost about $33million to Oracle price manipulation attacks. 

One of the proven ways to mitigate this form of attack is to enhance the protocol's security. You will have to deploy the service of a sophisticated decentralized Oracle such as Chainlink. Some developers that decide to use an on-chain oracle can combine oracles based on pools with deep liquidity. This combination will make it difficult for an attacker to skew the prices enough for such an attack to be worthwhile. 

How Mango Suffered Hack 

Mango is a digital asset trading platform on the Solana blockchain. Users on this DeFi platform can trade up to five times leverage, so it was a target for these hackers. 

According to Ottersec, a blockchain auditing website, the hacker's first move was to manipulate the price of Mango's collateral. Then moved a step further to take massive loans from the Mango treasury. 

A broad account of the attack showed that at about 6:19 PM ET, they funded "account A" with 5mm USDC collateral; the attacker subsequently offered 483 million units of MNGO perps (perpetual contracts) on the Mango Markets order book. Shortly after, the attacker funded another account with 5 million USDC collateral to buy those 483 million units of MNGO perps for $0.03 per unit. 

In another move, the attacker started moving the Mango spot market price and drove the price to $0.91 and the value of the 483 million MNGO to $423 million.

The attacker took less than an hour to take out a $116 million loan, leaving Mango's treasury with a negative balance of -116.7 million. Stolen assets include USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO. 

Mango protocol has, however, disabled deposits and is taking steps to have third-party funds frozen. Similarly, they have offered the attacker a bug bounty in exchange for returning the stolen funds.