Mango Markets is Prepared to Award a $47 Mn Bug Reward to a Hacker

Mango Market: What is that?

Mango is a loan, trading, and portfolio management software. Mango enables secured loans against existing assets. Lending/borrowing and leverage trading share the collateral. Leverage trading is a technique that enables investors to make purchases using borrowed funds. The Mango is based on the Solana blockchain and uses serum DEX. The serum DEX is a decentralized platform that enables cryptocurrency traders to trade via an automated order book mechanism.

According to the whitepaper, Mango wants to combine the convenience and liquidity of CeFi with the innovation of DeFi at a lower cost to the end user. Mango pursues this objective by providing margin trading and decentralized governance to determine future development. Margin trading is a method of conducting asset trades using money provided by a third party. Low transaction costs and total decentralization are critical requirements for realizing Mango’s goal.

MNGO is the token’s name, and MNGO holders administer the platform using Mango DAO. Following the first distribution, the DAO distributes more tokens via governance proposals. The MNGO token may be used to join Liquidity Provider pools.

Mango is investigating the breach and has approached the attacker about a “bug bounty,” even as it takes measures to freeze cash linked to the incident.

Details of the attack

According to blockchain security company OtterSec, which uncovered the assault, the attacker modified the value oracle data of MNGO tokens to get a “substantially” under-collateralized crypto loan from Mango Treasury.

Oracle is a technology that transfers off-chain data to the blockchain for usage with smart contracts. A pricing oracle shows the price of a digital asset. “Neither Oracle provider is to blame here.” “Oracle pricing reporting performed as expected,” the business said.

The vulnerability originates from the exchange market’s limited liquidity between the MNGO and the USDC stablecoin, which was utilized as a price reference for the MNGO perpetual swap.

Hacker and the Company

The hacker will pocket $47 million as a bug bounty and refund the remaining $67 million taken through the protocol, according to a new agreement between the hacker and the decentralized currency exchange.

The hacker first proposed to the decentralized autonomous group governing Mango Markets a $70 million reward for the perpetrator.

The Mango DAO governs Mango Markets and offers MNGO token holders the authority to influence platform choices.

The attackers also urged that if the resolution is approved, the decentralized finance firm not begin a criminal investigation or freeze the hacker’s cash.

The voting period closed on Saturday at 1:12 a.m. UTC. The agreement was approved by 96% of the governance vote, which amounted to nearly 473 million tokens, with just 3.4% voting against it.

The hackers allegedly voted for this proposition with millions of tokens obtained via the attack.

Conclusion

The hacker voted for this request using millions of tokens obtained via the vulnerability. On October 14, the proposal received the necessary quorum to pass. In return for the settlement, the hacker wants that users who vote in favor of the plan agree to pay the reward, settle the bad debt with the treasury, waive any prospective claims against accounts with bad debt, and refrain from engaging in any criminal investigation or freezing of money.

According to the suggested conditions, $67 million of the stolen tokens would be restored, while the hacker will keep $47 million. The arrangement was approved by 98% of voters, or 291 million tokens, and provides that Mango Markets would not seek criminal charges against the hacker.

References:

Bug Zero is a bug bounty, a crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.

Bug Zero is available for both hackers and organizations.

For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.