Mango, a decentralized banking platform based on the Solana blockchain, has been used for more than $100 million in transactions.
Mango went on Twitter on Tuesday evening to inform that the banking platform was investigating an incident in which a hacker was able to drain cash from Mango via an oracle price manipulation and that deposits have been disabled as a precaution.
According to blockchain audit firm OtterSec, it appears that an attacker was able to “manipulate” their collateral on Mango, allowing them to borrow outsized loans from the platform’s treasury:
“They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury.” Ottersec wrote on Twitter.
So far, around US$117 million was drained from the platform.
How Did The Attacker Exploited Mango’s Platform?
According to Joshua Lim, Head of Derivatives at Genesis Global Trading – “At 6:19 PM ET, an attacker funded account A with 5mm USDC collateral,”
The attacker then sold 483 million MNGO perps (perpetual contracts) on the Mango Markets order book. The attacker then financed another account with 5 million USDC collateral at 6:24 PM ET to purchase those 483 million MNGO perps at $0.03 per unit.
The attacker began changing the Mango spot market price at 6:26 PM ET, bringing the price to $0.91 and the value of the 483 million MNGO to $423 million.
After that, the assailant borrowed $116 million, leaving Mango’s treasury with a negative balance of -116.7 million. USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO were all drained, erasing all of Mango’s liquidity.
Mango Token Crash
Mango Markets is a Solana-based platform for trading digital assets for spot margin and perpetual futures on the Solana blockchain. Mango DAO governs Mango Markets.
Ever since the news came out, Mango token (MNGO) severely crashed down as a result of the market skepticism about the safety of the network.
MNGO went down by over 40% in just a few hours after the story was released.