In this article series, we will conduct in-depth post-hack investigations on a few representative attacks on on-chain protocols and share the techniques and tools used by the sec3 core team to understand the attacks.
Recently, MangoMarkets was exploited for over $100M; the exploiter even created a Mango DAO proposal “Repay bad debt” that calls for the Mango treasury to pay off the bad debt, positioning depositors against the protocol.
The attacker funded two accounts with more than $10M USDC from FTX
Using the above two accounts as the owner, the attacker created two Mango accounts and deposited 5M USDC to each account as collateral
The attacker used MangoAccount1 to create a large long position (BUY quantity=515717245 price=0.0382 USDC with Mango’s 4X leverage) in MNGO-PERP
The attacker used MangoAccount2 to create three large short positions (SELL total quantity=488302109) in MNGO-PERP
The attacker caused huge price increases of MNGO (from 0.0382 to as large as 0.5 USDC over 13X increase) in spot market through multiple whale trades in Serum DEX
The attacker settled the profits and losses between MangoAccount1 and MangoAccount2, giving MangoAccount1 a huge unrealized profit ($200M+) from its long position
The attacker then used MangoAccount1 to borrow and withdraw over $120M worth of various tokens (BTC (sollet), USDT, SOL, mSOL, USDC) from Mango, all in a matter of minutes
In essence, the approach used by the attacker leverages MNGO’s volatility and Mango’s margin and leverage in the futures market.
@SBF_FTX had an excellent exposition on this approach.
To investigate this attack, we first need to find out the attacker’s addresses and attacking transactions. Suppose we are only given the attacker’s Mango account (which has a huge debt -$115M): https://trade.mango.markets/account?pubkey=4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa
However, there are thousands of transactions on Mango per minute, how do we know which addresses belong to the attacker? sec3 team utilized the following three ways:
The third way is the most effective way to find the attacker’s address, because the owner of a Mango account is stored in the MangoAccount struct as the third field (see line 1286 below):
By decoding the account data of 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa, we can find its owner is yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM (the attacker’s Account1).
Then, we can retrieve all the historical transactions of Account1 by the attacker. There are a total of 44 transactions. We can then start analyzing these transactions one by one from the oldest to the newest:
MNGO price increased from 0.0382 to 0.1!
Wait, where was the attacker’s USDC from? Remember: attacker got 5.525M in Account1 from FTX, but only deposited 5M as collateral to MangoAccount1.
Wait, how could the attacker settle the order for MangoAccount1 so easily? Who is on the SELLER side?
Looking into the above transaction, we can find three Mango: SettlePnl calls involving three other different Mango accounts (the sellers):
Looking into these accounts, we quickly realize that CQvKSN is the attacker’s MangoAccount2: it has created three seller positions for a total of 488302109 MNGO, and by decoding the owner of CQvKSN, we find the attacker’s Account2: J44uRJ.
Now, we can do a similar analysis of Account2 transaction history (32 transactions in total):
Now, going back to Account1, the rest of the attacker transactions are all about withdrawing various of tokens from Mango and trading USDC for MNGO in Serum (to increase MNGO price).
These SOL tokens in total were worth $50M. In total, the attacker was able to withdraw over $120M worth of tokens using MangoAccount1.
At the time of writing, MNGO price has dropped to $0.025 and the attacker’s Mango account has a bad debt of over $115M.
sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.
To learn more about sec3, please visit https://www.sec3.dev