DeFi’s Mango DAO Lets Hacker Keep $50 Million

The community of the decentralized-finance application Mango DAO received a portion of the approximately $100 million stolen this week on Saturday after allowing the hacker to keep about $50 million of the funds.

Source: Bloomberg | Published on October 17, 2022

BEC attacks

The agreement brings to a close several days of tense negotiations between the hacker and Mango, which is governed by a community of token holders who vote on any changes. Soon after the theft, the hacker posted a proposal in the app's governance forum requesting that bad debts on the platform be erased – a deal that was rejected by the majority of Mango token holders, despite the hacker voting in favor of it with some of the stolen tokens.

The Mango team then made a counter proposal, offering to let the hacker keep around $50 million in exchange for the return of the remaining funds while promising no criminal prosecution and erasing the bad debt.

"We just got notice of the funds being returned," Mango's Maximilian Schneider told Bloomberg in a Discord message on Saturday. According to Mango's Twitter, community members are expected to meet to discuss how to refund the returned $67 million to users, with votes on the plans taking place next week.

An individual took responsibility for the hack in a series of tweets on Saturday, saying he was "involved with a team that operated a highly profitable trading strategy last week" on Mango.

According to the account claiming to be Avraham Eisenberg, "I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all of the consequences of setting parameters the way they are."

When contacted via Twitter, the user did not immediately provide proof of his identity. Schneider of Mango pointed to the hacker's Tweet, saying he disagreed that the actions were legal.

The reward is likely to be one of the largest ever given to a hacker. PolyNetwork offered a job and a bounty to an attacker who drained $610 million from the platform more than a year ago, and the funds were eventually reimbursed. Bounties can be worth millions of dollars, but they are typically offered to coders who identify vulnerabilities rather than hackers who steal money.

"This is a clear failure of secure governance," said Michael Lewellen, head of solutions architecture at OpenZeppelin, a crypto security provider. "If an attacker can steal enough tokens to vote themselves a reward, it sends a signal that DAOs can be successfully hacked using stolen tokens to avoid consequences." This highlights the need for improved governance security that takes into account malicious token voters."

Two accounts funded with the stablecoin USD Coin took large positions in Mango perpetual futures in the Mango heist, causing the price of the Mango token to spike. The price increase fueled an unrealized profit from futures. That was used by the attacker to borrow and withdraw approximately $100 million, leaving depositors with nothing.

According to DeFi Llama, the hacker stole more than 10% of all value locked on the Solana blockchain, on which Mango is based. The hacker's profit from the hack is unknown, as the attacker invested millions in carrying out the attack.

According to blockchain specialist Chainalysis Inc., crypto hacks are common, with at least $718 million stolen so far in October alone, bringing the total for the year past $3 billion and putting 2022 on track to be a record for total value hacked.