Early this morning Beijing time, Mango, the Solana ecological decentralized trading platform, was hacked and suffered a loss of up to 115 million US dollars.

Mango officials then tweeted that they were taking measures to deal with it, and hoped that hackers would take the initiative to contact them to discuss repayment matters (some of which can be reserved as bounties): "We are taking measures to allow third parties to freeze liquidity. As a precautionary measure, we will Deposits are disabled on the front end and will provide updates as the situation develops."

UXD Protocol, the Solana ecological algorithm stable currency agreement, stated that the total amount of funds affected in the Mango attack was nearly 20 million US dollars, and said that its insurance fund was sufficient to cover the loss.

Different from the plot trend of previous attacks, this time the hacker was "very addicted to drama", and he released a new governance proposal on realms:It is hoped that Mango will use treasury funds ($70 million) to repay users' bad debts; if the official agrees, hackers will return some of the stolen funds, and hope to avoid criminal investigation or freeze assets. Some encryption enthusiasts commented that the Mango hacker understood DeFi and DAO.

up to now,The proposal received 32.9 million votes in favor, 32.41 million of which were cast by the hackers themselvessecondary title

Manipulating MNGO Prices for Attacks

Combine Cryptographer@Joshua Limas well as@MangoAccording to the official accident report, we will restore the attack process as follows:

The hacker first transfers USD 5 million to Mango Exchange A and B addresses respectively. The two addresses are:

• A：CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX；

• B：4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa；

Then, the hacker used the MNGO perpetual contract to short the platform currency MNGO on Mango through address A, with an opening price of $0.0382, and a short position of 483 million. , 483 million long positions.image description

(Hackers short MNGO)

image description

(MNGO price trend)

At this time, the hacker’s long position profit was 483 million * ($0.91 - $0.0382) = $420 million, and the hacker then used the account’s net assets to borrow from Mango; fortunately, the platform had insufficient liquidity, and the hacker eventually only lent nearly 1.15 million in assets, including:54.41 million USDC, 768,500 MSOL ($25.3 million), 761,600 SOL ($23.47 million), 281 BTC ($5.356 million), 3.26 million USDT, 2.354 million SRM ($1.73 million) and 32.41 million MNGOs ($667,000)image description

(Collection of Stolen Funds)

In fact,

In fact,The attack on Mango could have been avoided.image description

(Screenshot of Mango Discord chat in March this year)

secondary title

Project direction hacker compromise?

new proposalnew proposal, expressing the hope that the government will use treasury funds ($70 million) to repay bad debts of the agreement. It is understood that the current treasury funds are about 144 million U.S. dollars, including MNGO tokens worth 88.5 million U.S. dollars and nearly 60 million U.S. dollars in USDC.

The hackers said that if officials agree to the plan, some of the stolen funds will be returned, while hoping that there will be no criminal investigation or freezing of funds. "If this proposal is passed, I will send the MSOL, SOL and MNGO in this account to the address announced by the Mango team. The Mango treasury will be used to cover the remaining bad debts in the agreement, and all users with bad debts will be fully compensated... Once the representative Coins are being returned as described above and there will be no criminal investigation or freezing of funds.”

According to the previous statistics, it can be known that the amount of assets that hackers plan to send back is about 49.43 million US dollars, which is about 42% of the stolen funds, which means that nearly half of the stolen assets were left by hackers as "rewards". The ratio is much higher than the upper limit promised by officials in previous attacks.

Mango officials said that the best solution at present is to communicate with the attacker. “The priorities for Mango DAO are: prevent any further unnecessary losses, secure the depositor funds of the Mango protocol, try to salvage some value of Mango DAO. Mango believes that the most constructive way to solve this problem is to continue working with the Incident and those who controlled the funds removed from the agreement to try to resolve the issue amicably."

Legal expert and LegalDAO founder MasterLi believes that no matter from the perspective of the laws of any country, and no matter whether this vote is passed or not, there is no doubt that the criminal nature of hackers is trying to evade personal responsibility in this way. It doesn't work under the laws of the country.

"Another level is the level of DAO governance rules. In the absence of DAO entities, I think DAO governance rules can be considered as some kind of contract or contract between DAO members. Hackers participate in the contractual relationship by stealing Token , exercising the right to make a proposal is absolutely untenable in legal terms. In other words, the right of hackers to propose and vote is inherently flawed. In this sense, if the "official" denies the proposal on this ground (I Not sure if MangoDAO has such a mechanism) It's not without reason, and I don't think it's against the purpose of DAO. This is like saying that I went to participate in a democratic election, and someone robbed my vote and voted for me, then this vote is undoubtedly invalid. "

It is unclear whether officials will eventually agree to the proposal and implement it. As of press time, the hacker proposal received 32.9 million votes in favor, of which 32.41 million votes were cast by hackers themselves, which is still far from the threshold of 67.09 million votes.