On Tuesday, federal authorities announced the arrest of Avraham Eisenberg, a crypto trader who conducted what he characterized as a “highly profitable trading strategy” that drained $110 million from Mango Markets, a decentralized crypto exchange. While the complaint details Eisenberg’s activities, none of it will come as a surprise given that the entire operation publicly played out on the blockchain (and in real-time on Twitter). Days after the action, Eisenberg even tweeted he was responsible and would be returning a large portion of the funds.
While Eisenberg’s arrest is likely to raise questions around the application of commodities manipulation and fraud laws to crypto, the more important issue raised by this case involves the work of individuals to uncover weaknesses in decentralized protocols, and the impact and utility of these operations for the future of crypto.
Gareth Rhodes, a managing director at Pacific Street, formerly served as deputy superintendent and special counsel at the NYS Department of Financial Services.
Mango Markets is a crypto trading platform where users can buy, sell, lend and borrow crypto tokens. While Coinbase and Binance are centralized and operate like exchanges in traditional finance, Mango and other decentralized finance (DeFi) exchanges such as Uniswap and Aave are fully decentralized. All transactions are conducted on the blockchain, transparent to all. Rules regarding margin requirements, liquidation triggers and the setting of token prices are established by code that is posted on GitHub, and the marketplace operates without human intervention or oversight.
Mango used oracles to set the price of tokens on its exchange (which monitors the average price the same token is listed for on other exchanges) and allows a user to borrow crypto tokens worth approximately 90% of their collateral. Eisenberg took advantage of these features by accumulating a large amount of Mango’s own token, MNGO, then spending millions of dollars in illiquid markets to drive up that token's price more than 1,300%. He then borrowed $110 million in USDC stablecoins against his temporarily inflated MNGO collateral. Over the course of a few hours, MNGO’s price surged, then collapsed and Eisenberg had $110 million in cash, while Mango’s code-driven liquidation engine automatically sold the MNGO tokens for a far smaller value than what Eisenberg “borrowed.”
Eisenberg’s operation was not exactly a surprise, as the risks of such attacks on decentralized collateralized lending are well known and Eisenberg did not invent this strategy. Sam Bankman-Fried, the ex-CEO of FTX, even tweeted his own prescient observations of the danger of using an illiquid token such as MNGO as collateral. Weeks later, the SEC cited these tweets as evidence that SBF “knew, or was reckless in not knowing, that by not mitigating for the impact of large and illiquid tokens posted as collateral by Alameda, FTX was engaging in precisely the same conduct, and creating the same risk, that he was warning against” with Mango.
Eisenberg’s actions were only possible because of DeFi’s foundational principle: code is law. This means computer code, not human beings, must be the decision makers. The Mango community watched Eisenberg’s operation in real time and could do little to stop it. Eisenberg tweeted he was simply “using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.”
Eisenberg is far from the only person who has spent countless hours reviewing a crypto protocol’s code and structure and attempting to attack its weaknesses. These individuals, depending on their perceived and stated intentions, are often met with derision for exploiting these flaws for illicit gain and celebration for pointing out shortcomings that can be fixed and improve protocol resilience. And while no user wants to lose money, if you are a crypto entity seeking to test the resilience of your protocol, your best option is probably to hope an enterprising hacker will take a deep look and attempt an exploit and return the money. Most prominent audit firms decline to work with crypto clients and while some have suggested government regulation will fix these issues, the SEC examined Bernie Madoff’s firm five times without uncovering the fraudulent scheme.
See also: In Praise of White-Hat Hackers, but Overreliance Is Foolish | Opinion
Many observers, and perhaps a jury, will say Eisenberg is a criminal and thief. And the fact pattern – all visible on the blockchain, detailed by Eisenberg’s own self-congratulatory tweets and described in SDNY’s criminal complaint – indicates he did indeed violate the letter of the law that prohibits market manipulation. However, it’s easy to imagine a scenario where without Eisenberg’s operation, the Mango protocol grows much larger and attracts more retail users, and it is North Korea, not Eisenberg, that exploits the protocol to drain user funds to pay for nuclear weapon development, not just a “highly profitable trading strategy.” In fact, as a result of Eisenberg’s successful Mango operation, other decentralized trading platforms implemented new risk mitigation measures, and when Eisenberg went after Aave a few weeks later, he failed.
What’s clear is that the crypto ecosystem will continue to rely on the ability of enterprising blockchain sleuths to find weaknesses in the system. What’s not clear is what framework makes sense to properly incentivize the time and skill required for such activity and protect user funds from being taken. ImmuneFi has a promising model of offering a bounty to hackers who pledge not to take user funds, similar to how the False Claims Act and various whistleblower statutes incentivize individuals to find wrongdoing in return for financial reward.
See also: Calling a Hack an Exploit Minimizes Human Error | Opinion
But it can be hard for a hacker to know a protocol weakness is real without an attempted exploit, and there is no indication these so-called “white-hat hackers” are immune from market manipulation laws, which they may violate even if user funds are fully returned.
Some critics may use Eisenberg’s arrest as the latest example of why crypto is little more than a speculative arena full of scammers. While such arguments may find receptive audiences in developed nations with robust traditional financial systems, look no further than how crypto is being used in everyday life by millions in Brazil, Turkey and Mexico, where residents face political stability, major currency devaluation and decimation of savings on a yearly basis. Or to crypto’s rapid expansion in the Middle East, where authoritarian regimes use the banking system to enforce social control.
Decentralized finance is poised to play an increasingly important role in the crypto ecosystem after the high profile failures of centralized entities and FTX and Celsius. Until a better model is found to pressure test these decentralized protocols, operations such as the one conducted by Eisenberg with Mango will remain a painful part of the journey to making the industry more resilient.
CORRECTION (JAN. 12, 2023 – 23:00 UTC): An earlier version of the subhead misstated the regulatory agency Gareth Rhodes previously worked for – he is a former counsel for the NYDFS, not the CFTC.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.