Crypto trading platform Mango Markets drained of more than $100 million in flash loan attack
Mango Markets — a cryptocurrency trading platform — was robbed of more than $100 million on Tuesday night after a hacker used a flash loan attack to exploit the platform. The attack is one of a series of recent high-profile thefts from platforms that have sent shockwaves through the industry.
Flash loan attacks involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins. The loan is paid back and the borrower keeps any profit.
Mango Markets took to Twitter Tuesday evening to tell users that it was investigating an incident “where a hacker was able to drain funds from Mango via… price manipulation.”
The company said it was disabling deposits and asking third parties to freeze the stolen funds. It also offered the hacker a bug bounty for the return of the funds.
Several hours later, the company confirmed that the hacker used two accounts to artificially raise the price of the MNGO coin by as much as five to ten times the original price on various exchanges in only a few minutes.
By manipulating the price of the coin, the hacker was able to borrow and withdraw Bitcoin, several U.S. dollar-pegged stablecoins and more cryptocurrency from Mango’s platform.
“The net value extracted by the account was around $100 million equivalent at the time,” the company wrote.
Ronghui Gu, CEO of blockchain security company CertiK and a Columbia University professor, told The Record that during the flash loan attack Mango’s token grew in price from $0.038 to a peak of $0.91, allowing the hacker to borrow heavily against it.
After the coin reached its peak, more than 2000% higher than before, Gu said the attacker used previously purchased MNGO coins as collateral to borrow more than $54 million in USDC; more than $25 million in mSOL; approximately $23 million in SOL; and $5 million in Bitcoin, among other cryptocurrencies.
Customers on the platform are not able to withdraw any assets because the hack “effectively resulted in a total draining of all equity available,” leaving the platform insolvent, Gu said.
The hacker allegedly contacted Mango Markets and expressed a “willingness to negotiate,” according to the company.
“We believe the most constructive way to approach this is to continue communicating with those responsible for the incident and in control of the funds removed from the protocol to attempt to resolve the issues amicably,” they said.
As Gu pointed out, this exact attack vector was raised in Mango’s Discord channel back in March of 2022.
“The vulnerability here stemmed from the thin liquidity on the MNGO/USDC market, which was used as the price reference for the MNGO perpetual swap. With only a few million USDC at their disposal, the attacker was able to pump the price of MNGO,” he explained.
The hacker behind the incident publicly reached out to the Mango community and offered a compromise on the company’s forum.
They proposed returning much of the stolen funds, repaying users who lost out and getting a bug bounty through Mango’s insurance fund.
“By voting for this proposal, mango token holders agree to pay this bounty and pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above,” the hacker said.
Gu said that the account appears to be genuine and linked to the stolen funds. “It remains to be seen how Mango’s governance will react to this offer, and whether the insurance fund will come into play to cover some of the losses,” Gu said.
Mango did not respond to requests for comment about the proposal and whether they agree with what is being offered.
The attack on Mango is the latest in a string of $100 million cryptocurrency hacks to take place this year.
Just last week, the world’s largest cryptocurrency exchange Binance lost at least $100 million in a hack. Blockchain company Harmony said $100 million in cryptocurrency was stolen from the platform in June.