This week we learned of yet another disastrous crypto heist, in which the “Mango” exchange was wiped out with losses valued over $100M.
It’s actually cooler than most because, as Shaurya Malwa put it, “Mango wasn’t hacked, it worked exactly as intended” [1].
Mango is an Ethereum based exchange that basically does electronic trading using “smart contracts”. As in any “DeFi” (“Decentralized Finance”), no humans are involved. “The code is the law”, as they say.
What happened was that a trader equipped with sufficient funds, something over $10M, executed a combination of trades that bought up a large position in Mango tokens, and then drove up the thinly traded tokens. In about a half hour the manipulations increased the value of their holding tenfold. Then they cashed out, tapping all the assets of the exchange. The shark actually still has millions worth on the exchange, but Mango is bust and closed down, so they can’t get anything for them.
Now that’s what I call a heist.
This game was not only technically legal, it was completely within the rules of the system.
(This was an “exploit” in multiple senses of the word!)
It worked because (a) Mango was small enough that a single shark could amass enough to fiddle it and (b) no humans were involved, so noone could do anything or even knew what was happening.
“All in all, the rogue trader used over 10 million USDC to take out over $116 million from Mango, paying minimal fees for conducting the attack and doing everything within the parameters of how the platform was designed. Mango wasn’t hacked, it worked exactly as intended, and a savvy trader, albeit with nefarious intentions, managed to wring token liquidity out.”
(From [1])
As Malwa notes, this kind of manipulation “won’t work on two centralized exchanges” (i.e., with humans involved), because the prices everywhere would stay much closer to the same, eliminating most of the profit.
It isn’t clear whether the Mango bandit will get much out of this exploit, because the booty is still tied up on the blockchain, and will probably be blocked from moving out.
Because, of course, the “decentralized” Mango runs on a not particularly decentralized platform. (Apparently, the platform was already in the news for a not-at-all-Nakamotoan bail out of an outsized debt that threatens the stability of the whole platform.)
Sigh.
For the life of me, I can’t understand why any sane person would put money into this stuff. DeFi is pretty much 100% rip off these days, and it’s not even illegal to rip you off. For unknown, anonymous accounts on the Internet to rip you off.
Double sigh.
- Shaurya Malwa (2022) How Market Manipulation Led to a $100M Exploit on Solana DeFi Exchange Mango. Coindesk, https://www.coindesk.com/markets/2022/10/12/how-market-manipulation-led-to-a-100m-exploit-on-solana-defi-exchange-mango/
Cryptocurrency Thursday
Robert McGrath's Blog 