How to analyze an attack? — a case on the Mango Markets Exploit
October 13, 2022

In this article series, we will conduct in-depth post-hack investigations on a few representative attacks on on-chain protocols and share the techniques and tools used by the sec3 core team to understand the attacks.

Recently, MangoMarkets was exploited for over $100M; the exploiter even created a Mango DAO proposal “Repay bad debt” that calls for the Mango treasury to pay off the bad debt, positioning depositors against the protocol.

The attacker’s proposal received over 33M Yes Votes in the number of MNGO tokens

Here are the main findings (on the exploit):

  • The attacker funded two accounts with more than $10M USDC from FTX

Account1: yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM

Account2: J44uRJxJEDTyPgFG6BtQJ3skhex8FeBbDJWVoh3z9dJU

  • Using the above two accounts as the owner, the attacker created two Mango accounts and deposited 5M USDC to each account as collateral

MangoAccount1: 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa

MangoAccount2: CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX

  • The attacker used MangoAccount1 to create a large long position (BUY quantity=515717245 price=0.0382 USDC with Mango’s 4X leverage) in MNGO-PERP
  • The attacker used MangoAccount2 to create three large short positions (SELL total quantity=488302109) in MNGO-PERP
  • The attacker caused huge price increases of MNGO (from 0.0382 to as large as 0.5 USDC over 13X increase) in spot market through multiple whale trades in Serum DEX
  • The attacker settled the profits and losses between MangoAccount1 and MangoAccount2, giving MangoAccount1 a huge unrealized profit ($200M+) from its long position
  • The attacker then used MangoAccount1 to borrow and withdraw over $120M worth of various tokens (BTC (sollet), USDT, SOL, mSOL, USDC) from Mango, all in a matter of minutes

In essence, the approach used by the attacker leverages MNGO’s volatility and Mango’s margin and leverage in the futures market.

@SBF_FTX had an excellent exposition on this approach.

So, what happened exactly and how to investigate?

To investigate this attack, we first need to find out the attacker’s addresses and attacking transactions. Suppose we are only given the attacker’s Mango account (which has a huge debt -$115M):

https://trade.mango.markets/account?pubkey=4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa

However, there are thousands of transactions on Mango per minute, how do we know which addresses belong to the attacker?

sec3 team utilized the following three ways:

  1. Monitor abnormal transactions — alerts whenever a large transfer happens in a transaction (which indicates a potential hack)
  2. Sift through the top token owners (we know the attacker owns a large amount of MNGO in this case)
  3. Decode the Mango accounts (the owners of these Mango accounts are the attacker’s addresses)

The third way is the most effective way to find the attacker’s address, because the owner of a Mango account is stored in the MangoAccount struct as the third field (see line 1286 below):

By decoding the account data of 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa, we can find its owner is yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM (the attacker’s Account1).

Then, we can retrieve all the historical transactions of Account1 by the attacker. There are a total of 44 transactions. We can then start analyzing these transactions one by one from the oldest to the newest:

Oct 11, 2022 at 19:36:47 UTC

Oct 11, 2022 at 19:43:03 UTC

Oct 11, 2022 at 19:50:31 UTC

Now Account1 has 5.525M USDC

Oct 11, 2022 at 19:54:47 UTC

Now, Account1 can sign and send transactions!

Oct 11, 2022 at 22:08:07 UTC

Oct 11, 2022 at 22:18:57 UTC

Oct 11, 2022 at 22:23:40 UTC

> Program logged: “Mango: PlacePerpOrder2 client_order_id=1665526968618”> Program logged: “bid on book order_id=7065102980230740612530 quantity=515717245 price=382”

Oct 11, 2022 at 22:26:30 UTC

MNGO price increased from 0.0382 to 0.1!

Wait, where was the attacker’s USDC from? Remember: the attacker got 5.525M in Account1 from FTX, but only deposited 5M as collateral to MangoAccount1.

Oct 11, 2022 at 22:29:27 UTC

Wait, how could the attacker settle the order for MangoAccount1 so easily? Who is on the SELLER side?

Looking into the above transaction, we can find three Mango: SettlePnl calls involving three other different Mango accounts (the sellers):

  1. CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX

2. H6R2zNZMmhGoXLMGweGPP4Q9RtZ6RprVu7Hc868pJVbp

3. C2y9bLhBn7ynkb2HhayHVpUFCSeRWJ9oqFXrKH3vBhZK

Looking into these accounts, we quickly realize that CQvKSN is the attacker’s MangoAccount2: it has created three seller positions for a total of 488302109 MNGO, and by decoding the owner of CQvKSN, we find the attacker’s Account2: J44uRJ.

Now, we can do a similar analysis of Account2’s transaction history (32 transactions in total):

Oct 11, 2022 at 19:49:47 UTC

Oct 11, 2022 at 19:54:14 UTC

Oct 11, 2022 at 22:07:26 UTC

Oct 11, 2022 at 22:19:13 UTC

Oct 11, 2022 at 22:24:47 UTC

Oct 11, 2022 at 22:25:35 UTC

Oct 11, 2022 at 22:25:51 UTC

Now, going back to Account1, the rest of the attacker transactions are all about withdrawing various of tokens from Mango and trading USDC for MNGO in Serum (to increase MNGO price).

For example,

Oct 11, 2022 at 22:34:26 UTC

Oct 11, 2022 at 22:36:34 UTC

Oct 11, 2022 at 22:37:27 UTC

Oct 11, 2022 at 22:37:38 UTC

These SOL tokens in total were worth $50M. In total, the attacker was able to withdraw over $120M worth of tokens using MangoAccount1.

At the time of writing, MNGO price has dropped to $0.025 and the attacker’s Mango account has a bad debt of over $115M.

About sec3 (secure web3)

sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with Github to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.

To learn more about sec3, please visit https://www.sec3.dev