How to Analyze an Attack?
A Case Study on the Mango Markets Exploit
October 13, 2022

In this article series, we will conduct in-depth post-hack investigations on a few representative attacks on on-chain protocols and share the techniques and tools used by the sec3 core team to understand the attacks.

Recently, MangoMarkets was exploited for over $100M; the exploiter even created a Mango DAO proposal “Repay bad debt” that calls for the Mango treasury to pay off the bad debt, positioning depositors against the protocol.

The attacker’s proposal received over 33M Yes Votes in the number of MNGO tokens

Main Findings (On the Exploit)

The attacker funded two accounts with more than $10M USDC from FTX

Using the above two accounts as the owner, the attacker created two Mango accounts and deposited 5M USDC to each account as collateral

The attacker used MangoAccount1 to create a large long position (BUY quantity=515717245 price=0.0382 USDC with Mango’s 4X leverage) in MNGO-PERP

The attacker used MangoAccount2 to create three large short positions (SELL total quantity=488302109) in MNGO-PERP

The attacker caused huge price increases of MNGO (from 0.0382 to as large as 0.5 USDC over 13X increase) in spot market through multiple whale trades in Serum DEX

The attacker settled the profits and losses between MangoAccount1 and MangoAccount2, giving MangoAccount1 a huge unrealized profit ($200M+) from its long position

The attacker then used MangoAccount1 to borrow and withdraw over $120M worth of various tokens (BTC (sollet), USDT, SOL, mSOL, USDC) from Mango, all in a matter of minutes

In essence, the approach used by the attacker leverages MNGO’s volatility and Mango’s margin and leverage in the futures market.

@SBF_FTX had an excellent exposition on this approach.

What Happened and How to Investigate?

To investigate this attack, we first need to find out the attacker’s addresses and attacking transactions. Suppose we are only given the attacker’s Mango account (which has a huge debt -$115M): https://trade.mango.markets/account?pubkey=4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa

However, there are thousands of transactions on Mango per minute, how do we know which addresses belong to the attacker? sec3 team utilized the following three ways:

  1. Monitor abnormal transactions — alerts whenever a large transfer happens in a transaction (which indicates a potential hack)
  2. Sift through the top token owners (we know the attacker owns a large amount of MNGO in this case)
  3. Decode the Mango accounts (the owners of these Mango accounts are the attacker’s addresses)

The third way is the most effective way to find the attacker’s address, because the owner of a Mango account is stored in the MangoAccount struct as the third field (see line 1286 below):

By decoding the account data of 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa, we can find its owner is yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM (the attacker’s Account1).

Then, we can retrieve all the historical transactions of Account1 by the attacker. There are a total of 44 transactions. We can then start analyzing these transactions one by one from the oldest to the newest:

Timestamp (UTC) Event
Oct 11, 2022 at 19:36:47 The attacker created Account1 and funded 25K USDC from FTX in tx 2p86o...gFUyG
Oct 11, 2022 at 19:43:03 The attacker transferred 2M USDC to Account1 from FTX in tx sq2VX...ovTCV
Oct 11, 2022 at 19:50:31 The attacker transferred another 3.5M USDC to Account1 in tx 4aPwY...wBiYM
Now Account1 has 5.525M USDC
Oct 11, 2022 at 19:54:47 The attacker funded Account1 with 1 SOL from FTX in tx cbxM5...4yg5Q
Now, Account1 can sign and send transactions!
Oct 11, 2022 at 22:08:07 The attacker created MangoAccount1 and deposited 100 USDC to it: tx 4MVjZ...35qCG
Oct 11, 2022 at 22:18:57 The attacker deposit 5M USDC to MangoAccount1: tx 3cBEK...A8unY
Oct 11, 2022 at 22:23:40 The attacker placed a perpetual order in the MNGO-PERP market: tx 2xPS2...XHPQR
(quantity = 515717245, price = 382)
Oct 11, 2022 at 22:26:30 The attacker started manipulating MNGO prices via Jupiter, Raydium and Serum.
In this tx, 200K USDC is used to buy 1,993,371.266754 MNGO: tx 5o2wk...HE1Km

MNGO price increased from 0.0382 to 0.1!

Wait, where was the attacker’s USDC from? Remember: attacker got 5.525M in Account1 from FTX, but only deposited 5M as collateral to MangoAccount1.

Timestamp (UTC) Event
Oct 11, 2022 at 22:29:27 The attacker calls Mango: SettlePnl for the perpetual order of MangoAccount1: SFVdK...cEDv1

Wait, how could the attacker settle the order for MangoAccount1 so easily? Who is on the SELLER side?

Looking into the above transaction, we can find three Mango: SettlePnl calls involving three other different Mango accounts (the sellers):

  1. CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX
  2. H6R2zNZMmhGoXLMGweGPP4Q9RtZ6RprVu7Hc868pJVbp
  3. C2y9bLhBn7ynkb2HhayHVpUFCSeRWJ9oqFXrKH3vBhZK

Looking into these accounts, we quickly realize that CQvKSN is the attacker’s MangoAccount2: it has created three seller positions for a total of 488302109 MNGO, and by decoding the owner of CQvKSN, we find the attacker’s Account2: J44uRJ.

Now, we can do a similar analysis of Account2 transaction history (32 transactions in total):

Timestamp (UTC) Event
Oct 11, 2022 at 19:49:47 The attacker funded Account2 5M USDC from FTX in tx: 297Ga...P7Ftk
Oct 11, 2022 at 19:54:14 The attacker funded Account2 with 1 SOL in tx:2krAGf...xYsLo
Oct 11, 2022 at 22:07:26 The attacker created MangoAccount2 and deposited 1 USDC to it in tx FGL3G...5BTPm
Oct 11, 2022 at 22:19:13 The attacker deposited 5M USDC to MangoAccount2 in tx 66AFL...C1xyC
Oct 11, 2022 at 22:24:47 The attacker created a short position in MNGO-PERP in tx 2mMMv...4hf4x
(quantity = 261780104 price = 0.0382)
Oct 11, 2022 at 22:25:35 The attacker created a short position in MNGO-PERP in tx qbVq5...wM4yE
(quantity = 222688514 price = 0.0382)
Oct 11, 2022 at 22:25:51 The attacker created a short position in MNGO-PERP in tx 2q2k8...d5g45
(quantity = 3833491 price = 0.0382)

Now, going back to Account1, the rest of the attacker transactions are all about withdrawing various of tokens from Mango and trading USDC for MNGO in Serum (to increase MNGO price).

Timestamp (UTC) Event
Oct 11, 2022 at 22:34:26 The attacker traded 50K USDC for 100,172.209331 MNGO, increasing MNGO’s price to 0.499 USDC in tx 3SZpH...Bs5XX (13X of MangoAccount1’s long position price 0.0382)
Oct 11, 2022 at 22:36:34 The attacker withdrew 400,000 Wrapped SOL from Mango in tx 2J46z...spgwY
Oct 11, 2022 at 22:37:27 The attacker withdrew 361,577 Wrapped SOL from Mango in tx zpoYV...vWnqV
Oct 11, 2022 at 22:37:38 The attacker withdrew 798,000 Marinade staked SOL (mSOL) from Mango in 281Hw...cXdRF

These SOL tokens in total were worth $50M. In total, the attacker was able to withdraw over $120M worth of tokens using MangoAccount1.

At the time of writing, MNGO price has dropped to $0.025 and the attacker’s Mango account has a bad debt of over $115M.


About sec3 (Formerly Soteria)

sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.

To learn more about sec3, please visit https://www.sec3.dev