A disgruntled attacker literally squeezed all the liquidity out of the decentralized Mango Markets crypto exchange and is apparently holding $100 million worth of tokens as ransom to force the organization to use the assets in its treasury to finance bad debt taken on to bail out a large investor earlier this year.
Trading was halted Wednesday, and a proposal was posted on the decentralized autonomous organization’s governance page, ostensibly by the attacker, offering to return the funds in exchange for an unspecified bounty. Additional conditions include using Mango’s $70 million treasury holdings to pay off the project’s bad debt and a promise to not pursue any criminal investigations and freeze funds once the tokens are returned.
The attacker also appears to have used 32.9 million Mango tokens, roughly one-third of the voting power required for the proposal to pass, to influence the outcome of the vote, which will close around early Saturday. Fewer than 22,000 votes against the proposal were recorded.
Mango said on Twitter that it will “make sure depositors of the protocol are made whole” but hasn’t responded to Forbes’ request for comment as to how that might come about.
The heist, involving the manipulation of Mango’s namesake coin (MNGO), occurred on Tuesday around 6 p.m New York time. The attacker funded two accounts on the platform with the dollar-pegged USD coin, according to Mango, and took large positions in perpetual futures on the coin, selling from one account and buying in another at an above-market price. That caused the token to spike tenfold on some decentralized exchanges that reacted automatically via smart contracts to the price changes emanating from Mango.
The attacker then used unrealized profit to borrow and withdraw a range of tokens including bitcoin, tether, solana, USD coin and mSOL—worth roughly $100 million—from Mango.
“It looks like that effectively wiped out all available liquidity on Mango,” tweeted Joshua Lim, head of derivatives at crypto trading firm Genesis. Decentralized exchanges like Mango rely on liquidity pools, comprised of various cryptocurrencies, to enable peer-to-peer trading. In exchange for providing liquidity, lenders who fund the pools earn a percentage of transaction fees paid by platform users.
The bad debt to which the hacker referred likely stems from an incident in June when Mango and rival Solana-based lending platform Solend agreed to share the obligations of an unidentified Solend user, whose positions grew so large they were deemed “too big to fail”. The account holder borrowed more than $100 million worth of USD coin and tether, collateralized by the solana token. As solana’s price tanked along with most of the crypto market, the loan’s potential liquidation as the result of a margin call appeared to pose an existential threat to Solend. Eventually, the user transferred $25 million USDC
In response to the attacker’s post, Daffy Durairaj, Mango co-founder, offered to satisfy at least part of the attacker’s demands including a “healthy profit” and absolving that person of charges of wrongdoing. Durairaj also agreed that all Mango depositors should be made “whole.”
It remains to be seen whether the results of the vote on the attacker’s proposal will be considered legitimate. The Mango token is down 32% over the past 24 hours, trading around 3 cents. It ended 2021 at just under 21 cents.
This news is republished from another source. You can check the original article here.