(Bloomberg) -- An attacker spirited away about $100 million from decentralized finance provider Mango by manipulating the price of its token in an exploit that wiped out depositors on the crypto platform.
The heist began with two accounts funded with the stablecoin USD Coin, the platform said Wednesday on Twitter. The accounts took large positions in Mango perpetual futures, causing the price of the Mango token to spike.
The price jump stoked an unrealized profit from the futures. The attacker used that to borrow and withdraw roughly a net $100 million from the protocol in a range of tokens -- leaving depositors with nothing, according to Mango.
DeFi Platform Mango Says Net Value of $100m Extracted in Exploit
“This incident has effectively resulted in a total draining of all equity available,” the platform said on Twitter, adding the attackers are communicating with Mango and “indicating a willingness to negotiate.”
A string of attacks have befallen digital assets this year, most notably hacks on blockchain bridges, further undermining confidence in a sector that’s also nursing a $2 trillion wipeout from a November peak.
The Mango incident is “a price manipulation attack” that took advantage of the ability to leverage up positions on the platform, according to BlockSec, a company specializing in crypto security.
The perpetrator has posted a proposal on Mango’s governance page that appears to raise the possibility of returning some of the money in return for a bounty. Other conditions include using the service’s treasury to pay off bad debt and not pursuing criminal probes or freezing funds.
Pump and Dump
Mango, which operates on the Solana blockchain, is a decentralized crypto exchange that offers users the ability to make spot trades and loans.
It disabled deposits and said it believes the most constructive thing to do is to communicate with those responsible in an “attempt to resolve the issues amicably.”
Data from tracker CoinGecko shows that in the past 24 hours the price of the Mango token at one point shot up to about 9 US cents from 4 US cents before sinking to about 2 US cents.
Some $2 billion has been lost in crypto security incidents this year, many perpetrated by North Korea-linked groups, according to blockchain analysis firm Chainalysis.
Just last week, 2 million Binance Coins -- equivalent to nearly $570 million -- were effectively minted and taken by a hacker. About $100 million wasn’t recovered, while the rest was frozen, according to a Binance statement.
(Updates with the method of the attack from the first paragraph.)
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.
Author: Sidhartha Shukla