Mango, a decentralized finance platform hosted on the Solana blockchain, has been exploited for over $100 million.
The exploit was initially reported on Twitter by blockchain auditors OtterSec, who say “the attacker was able to manipulate their Mango collateral.”
“The [MGNO] governance token was valued for far more than it should be,” OtterSec’s Robert Chen said. “With that, [the attacker] was able to take out large loans against it and then drain Mango's [liquidity] pools. It's like a lending-borrowing race: if you have overvalued collateral, you can then borrow against that collateral, and that's what they did.”
According to Chen, it remains unclear how, exactly, the attacker managed to inflate MNGO’s value in the eyes of the Mango protocol, though there are already several theories floating around on Twitter suggesting how the heist could’ve been pulled off.
Mango confirmed the exploit in a Tweet on Tuesday, stating that it was "investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation."
The drained funds remained, at press time, on the Solana blockchain. In similar cases, centralized exchanges like Coinbase, Binance and Kraken – the only entities with enough liquidity for someone to cash out amounts this large – have blacklisted offending addresses.
In its initial statement, Mango said it was "taking steps to have third parties freeze funds in flight" and "disabling deposits on the front end as a precaution."
Mango is a decentralized crypto exchange on the Solana blockchain that offers users the ability to make spot trades and loans. Mango's MNGO token was down over 42% in the past 24 hours amid fears that the platform may have been exploited, according to price data from CoinMarketCap.
Tuesday's exploit was the second major decentralized finance attack in less than a week, coming hot on the heels of an $80 million hack last week of Binance’s BNB blockchain.