Mango Markets

There’s never a boring day in decentralized finance, but today’s news reads like a crypto-infused episode of Seinfeld.

On Tuesday, a hacker stole roughly $112 million from cryptocurrency exchange Mango Markets, which lives on the Solana crypto platform. They did it by purchasing a large amount of MNGO tokens on the exchange on two separate accounts, going long (betting on price going up) on one, and going short (betting on price going down) on the other. Then they used more funds to manipulate the price of MNGO to sharply go up and cashed out on the account that was long, effectively draining essentially all of the liquidity on Mango Markets.

Officially, Mango Markets said the incident « has effectively resulted in a total draining of all equity available, » and that its priorities are to « make sure depositors of the Mango protocol are made whole, » as well as « try and salvage some value in Mango DAO and protocol to rebuild from here » while preventing any further losses.

While quite horrible for investors on Mango Markets, who are now left empty handed, this sort of exploit has been done time and time again, with hackers often making off with hundreds of millions of dollars. In other words, it wouldn’t exactly be unusual in crypto land.

But this time, it appears that the hacker has decided to leverage the way Mango Markets is set up to do some Robin Hood-style work, while keeping some of the money for themselves.

Mango Markets is a DAO, or Decentralized Autonomous Organization. That means it’s governed by voting, where owners of MNGO tokens can vote on the future of the entire project. The more MNGO tokens you own, the more voting power you have.

Also important is the fact that, like so many other decentralized finance projects lately, Mango Markets has a lot of bad debt, stemming from an episode in June when Mango Markets and another DeFi project, Solend, bailed out a large Solana whale to keep the entire ecosystem from collapsing (in crypto lingo, a whale is someone that owns a vast amount of cryptocurrency).

The hacker used this setup to make a proposal to the Mango community. They said will return some of the funds if Mango Markets used the money that’s still in their treasury to repay the bad debt it has and make its users whole. They also demanded that they, the hacker, should not be criminally investigated, nor should their tokens be frozen. The hacker then used the MNGO tokens they owned to vote « yes » on the proposal, which now has a 99.9% approval rate.

Yes, decentralized finance is an odd place.

Mango Markets hacker
Hey, I stole your money. I propose you not send the police after me. I vote yes on my own proposal. Credit: Mango Markets

To recap: Someone stole a lot of MNGO tokens from Mango Markets. Then they made a proposal to return some of the tokens, but only if Mango Markets doesn’t send the police after them. Then they used the MNGO tokens they stole to vote yes on their own proposal.

Unfortunately for the hacker, the proposal hasn’t yet met a threshold that would make it valid, so they weren’t able to immediately auto-approve their demands.

Still, it’s yet another indication that DAOs still have a lot more work to do – not just to prevent hackers from stealing funds, but also to keep them from exploiting the DAO governance mechanisms to bend projects to their will.