A Hacker Wants the Victims of His Theft to Approve of His Robbery. When using cryptocurrencies, things operate differently. Having stolen $117 million in digital assets from decentralized finance exchange Mango Markets Hack, the hacker has now offered to return the money, but only if token holders allow them to keep $70 million without facing legal repercussions.

On the Mango Markets decentralized governance platform, the hacker posted their proposal and then used votes associated with the funds they had stolen to promote it. The proposal to characterize the occurrence as a white hat hacking incident deserving of a bug reward could still fail because the hacker was unable to unilaterally establish a quorum.

In a nutshell: A hacker who stole cryptocurrency proposes to keep the majority of the loot and asks the individuals from whom they stole to vote on it, using votes associated with the stolen bitcoin to vote in favour.

But seriously, what’s wrong with our sector? Web3 consultant Alex Valaitis tweeted.

Mango Markets Reacts

A trading platform using the Solana blockchain is called Mango Markets. In order to lessen the impact of the attack, the platform ceased all activities and stopped all deposits and withdrawals, according to Mango Markets. It states that “all accessible equity has effectively been completely drained as a result of this catastrophe.”

At the time of writing, the price of the $MNGO token fell 33% from the previous day.

CEO of Mango Labs Daffy Durairaj tweeted, “To everyone anxious about their deposits on Mango: I will do everything in my power to reclaim your monies.

Mango is looking into the hack and has asked the perpetrator to talk about a “bug bounty” while also taking steps to have third parties freeze funds linked to the incident.

In order to try and reach an amicable resolution, Mango tweeted, “We believe the most productive way to address this is to continue engaging with people responsible for the occurrence and in possession of the cash removed from the protocol.”

Attack Details

Blockchain security company OtterSec, which discovered the assault, claims the attacker used the MNGO token’s price oracle data to obtain “large” under-collateralized crypto loans from the Mango treasury.

An oracle is a device that provides the blockchain with pertinent off-chain data so that smart contracts can utilize it. A price oracle displays a digital asset’s price data. “In this case, neither Oracle provider is at fault. The oracle price reporting functioned as expected, “The business claims.

The lack of liquidity between MNGO and the USDC stablecoin, which served as the price benchmark for an MNGO perpetual swap, on the exchange market was the source of the vulnerability.

According to blockchain security company CertiK, the attacker was able to increase the price of MNGO by 2,394% with just a few million USDC at their disposal.

In order to manipulate the price of MNGO from $0.038 to a peak of $0.91, the attacker used two addresses, according to CertiK. This allowed them to borrow significantly against the value of their MNGO token collateral.

In a series of tweets, Mango Markets describes the technical specifics of the attack:

Mango Markets

The vulnerability appears announced on Mango’s Discord channel in March. But the business declined to confirm the assertion.

Hacker Proposes ‘Bounty’

The hacker proposed a $70 million reward for the attacker to the decentralized autonomous group running Mango Markets.

Holders of MNGO tokens have the authority to decide how Mango Markets will operate thanks to the Mango DAO.

The hacker suggested returning cryptocurrency worth roughly $50 million if Mango Markets used the $70 million USDC in its treasury to pay off all users who had no outstanding debt in addition to clearing the protocol’s bad debt.

The hacker says that if the request is approved, the decentralized financial company shouldn’t open a criminal investigation or seize the hacker’s funds.

The attacker supported the motion by casting their stolen Mango tokens as a “yes” vote. At 1:12 UTC on Saturday, voting will be over.