DeFi platform Mango drained for $100M less than a week after BNB hack

Mango, a decentralized cryptocurrency exchange operating on the Solana (SOL-USD) blockchain, recently fell victim to a ~$100M exploit.

In confirming the heist, the official Twitter account of Mango said an attacker “was able to drain funds from Mango via an oracle price manipulation. We are taking steps to have third parties freeze funds in flight,” adding that it will disable deposits.

The exploit started with two accounts funded by stablecoin USDC (USDC-USD) that took outsized positions in Mango perpetual futures (MNGO-PERP). That triggered a “5-10x price increase in a matter of minutes,” Mango said in a separate Twitter post.

The hacker then used the unrealized profit from the price surge to borrow and withdraw a net value of around $100M from the protocol, in a move that wiped out depositors on the platform.

“This incident has effectively resulted in a total draining of all equity available,” said Mango, which allows users to make spot trades and loans.

To sum up the hack in blockchain auditor OtterSec’s analysis: “It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury.”

The move, which clearly illustrates certain aspects of DeFi exchange’s security weakness, was the second major DeFi attack in less than a week. An attacker stole 2M of crypto exchange Binance’s BNB token (BNB-USD) last week.