Solana-Based Decentralized Finance Platform Mango Hit by $100 Million Exploit
Mango's MNGO token was down over 40% after suffering from the latest massive decentralized finance exploit.
Mango, a decentralized finance platform hosted on the Solana blockchain, has been exploited for over $100 million.
The exploit was initially reported on Twitter by blockchain auditors OtterSec, who say “the attacker was able to manipulate their Mango collateral.”
“The [MGNO] governance token was valued for far more than it should be,” OtterSec’s Robert Chen told CoinDesk. “With that, [the attacker] was able to take out large loans against it and then drain Mango's [liquidity] pools. It's like a lending-borrowing race: If you have overvalued collateral, you can then borrow against that collateral, and that's what they did.”
Mango confirmed the exploit in a tweet on Tuesday, stating that it was "investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation."
The drained funds remained, at press time, on the Solana blockchain. In similar cases, centralized exchanges like Coinbase, Binance and Kraken – the only entities with enough liquidity for someone to cash out amounts this large – have blacklisted offending addresses.
In its initial statement, Mango said it was "taking steps to have third parties freeze funds in flight" and "disabling deposits on the front end as a precaution."
Mango is a decentralized crypto exchange on the Solana blockchain that offers users the ability to make spot trades and loans. Mango's MNGO token was down over 42% in value in the past 24 hours amid fears the platform may have been exploited, according to price data from CoinMarketCap.
CoinDesk has reached out to Mango for comment.
Tuesday's exploit was the second major decentralized finance attack in less than a week, coming hot on the heels of an $80 million hack last week of Binance’s BNB blockchain.
UPDATE (Oct. 11, 2022 23:30 UTC): Adds tweet from Mango.
UPDATE (Oct. 11, 2022 23:42 UTC): Adds MNGO price information.
UPDATE (Oct. 12, 2022 00:30 UTC): Adds quote from OtterSec's Robert Chen.
UPDATE (Oct. 12, 2022 00:50 UTC): Adds additional tweet from Mango.