Mango Markets Exploit - Post-Mortem
Date: October 12, 2022
(This is the same incident as
034_mango_markets. The hacks JSON has duplicate entries for Mango Markets and Mango Markets V3 because both refer to the same Solana Mango v3 perp/oracle manipulation by Avraham Eisenberg.)What Happened
Solana's flagship margin trading protocol Mango Markets suffered a significant attack resulting in "$115M of bad debt" left in the protocol's lending pools.
Attack Vector & Exploit Steps
The attacker executed a price manipulation scheme:
1. Funding: The attacker's address received over $5M in USDC from FTX—"$2M and $3.5M USDC" deposited into Mango Markets
2. Position Setup: Used these funds to establish a large MNGO-PERP (perpetual futures) position
3. Price Spike: Counter-traded against the position from another account, manipulating the spot price of MNGO token from $0.03 to $0.91
4. Collateral Extraction: While MNGO price remained elevated, drained lending pools using unrealized profits as collateral
5. Liquidation Cascade: The manipulation triggered "over 4000 short liquidations"
Technical Root Cause
The vulnerability stemmed from MNGO token's "low liquidity and volume," enabling price manipulation. Mango Markets later clarified this was "not an oracle failure, but rather genuine price manipulation."
Financial Impact
• Bad Debt Created: $115M shortfall in the attacker's account
• Available Treasury: $70M remaining
• Shortfall Gap: ~$50M uncovered
• Network Effect: Solana's TVL dropped "over 20%"
Attacker's Address
yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqMAttacker's Mango account:
4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNaRemediation Proposal
The attacker proposed a governance solution requesting "~$65M" in assets and immunity from criminal investigation. The attacker voted with "32M votes" stolen during the attack.
Notable Context
A community member had raised "concerns within the Mango community over six months ago" regarding similar attack vectors, which went unaddressed.
Subsequent Legal Outcome (added context)
The attacker, Avraham Eisenberg, was later identified, arrested, and prosecuted in the United States. He was convicted on commodities fraud and market-manipulation charges related to this incident.