{"id":448,"date":"2023-01-30T12:41:08","date_gmt":"2023-01-30T10:41:08","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=448"},"modified":"2023-01-30T12:41:08","modified_gmt":"2023-01-30T10:41:08","slug":"2022-solana-hacks-explained-mango-markets","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/2022-solana-hacks-explained-mango-markets\/","title":{"rendered":"2022 Solana Hacks Explained: Mango Markets"},"content":{"rendered":"

Mango Markets<\/strong><\/a> is a platform for cross-collateralized leverage trading<\/strong>. On October 12, 2022, an attacker drained over $116M<\/strong> worth of assets by manipulating the oracle price data.<\/strong><\/span><\/p>\n

Exploit Details<\/b><\/p>\n

The attacker used over $5M USDC<\/strong> to fund an account, took a short MANGO-PERP position<\/a>, and offered 488M MANGO-PERP to sell at $0.0382. Next, he funded another account with additional $5M USDC<\/strong>, took a long MANGO-PERP position<\/a>, and bought 488M MANGO-PERP<\/strong>. Due to low liquidity<\/strong> on the exchange between MANGO<\/strong> and USDC<\/strong>, the attacker was able to pump the price<\/strong> of MANGO on various exchanges 5-10x<\/strong> in a matter of minutes. The updated prices by Oracles were pumped up to $0.91 per unit and allowed the attacker to take out a loan of $116M<\/strong> worth and withdraw BTC (Sollet), USDT, SOL, mSOL, USDC from Mango.<\/span><\/p>\n

After the exploit, the hacker<\/strong> proposed on the Mango DAO<\/strong> vote that he would keep the $70M bounty and send back $50M<\/strong> if Mango Markets uses the remaining funds to pay<\/strong> back users<\/strong> with and without bad debt and, in addition, will not pursue any criminal investigations<\/strong> or freezing of funds once the tokens are sent back. Finally, the Mango DAO offered<\/a> a $47M worth bounty<\/strong> along with the promise not to press charges if he sent back $67M<\/strong> worth of tokens.<\/span><\/p>\n

Shortly after the exploit, the identity<\/strong> of the exploiter was revealed<\/strong>; the man’s name was Avraham Eisenberg<\/strong>, and he didn’t really hide. Instead, allegedly, he created a Twitter<\/strong> <\/a>account where he bragged about the exploit and gained lots of followers. Even though a part of the stolen funds was returned<\/strong> as per the DAO vote, the U.S. Department of Justice announced<\/a> the arrest of Abraham Eisenberg,<\/strong> and later on, the CFTC (Commodity Futures Trading Commission) filed charges<\/a> against him <\/strong>along with Mango Markets<\/a>.<\/span><\/p>\n

 <\/p>\n

\"\"
Avraham Eisenberg. Source: Cointelegraph<\/a><\/figcaption><\/figure>\n

In simple words, <\/b>unlike Wormhole<\/a> or Cashio<\/a>, Mango Markets wasn\u2019t hacked<\/strong> at all, it was exploited<\/strong>. Avraham Eisenberg pumped<\/strong> the price of the Mango\u2019s native token, then sold, thus dumped<\/strong> the price and profited from the spread<\/strong>.\u00a0<\/span><\/p>\n

References<\/strong><\/p>\n

1, <\/a>2, <\/a>3<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Mango Markets is a platform for cross-collateralized leverage trading. On October 12, 2022, an attacker drained over $116M worth of assets by manipulating the oracle price data. Exploit Details The attacker used over $5M USDC to fund an account, took a short MANGO-PERP position, and offered 488M MANGO-PERP to sell at $0.0382. Next, he funded another account with additional $5M USDC, took…<\/p>\n","protected":false},"author":15,"featured_media":449,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[85,84,5],"tags":[14,86,6,19],"class_list":["post-448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exploits","category-hacks","category-solana","tag-exploit","tag-hack","tag-solana","tag-solana-security"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/01\/Mango-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/01\/Mango-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=448"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/448\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/449"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}