Hacker of popular Solana-based trading platform Mango has demanded $70 million USDC as bounty. The exploiter made the demand in a proposal relayed on the protocol’s DAO. According to the proposal, the hacker promised to refund a portion of the stolen funds provided the Mango DAO community votes Yes to the bounty.
As reported, the hacker wants Mango to use its treasury stash of 70 million USDC in repaying the bad debt. Additionally, he wants the trading platform to desist from carrying out any investigation or freezing of funds once the token becomes refunded. Meanwhile, the hacker is yet to disclose the percentage of funds it intends to return. So far, Mango DAO members have voted in favor of the hacker’s proposal.
Notably, this proposal by the hacker comes barely hours after the attack on the protocol. As reported, Mango lost about $112 million in digital assets to the hacker. According to the protocol, the hacker carried out the act using a technique known as oracle price manipulation. More so, Mango reportedly loss $53.7 million Coin(USDC) and $3.2 million Tether (USDT) to the attack.
Mango narrates how the exploitation unfolded on its network
After the attack, Mango threatened to investigate the exploitation. It says the exploitation on its network took place on October 11, around 22:00 UTC. During the attack, Mango noted that accounts funded with USDC took an inflated position in MNGO-PERP. Also, Mango revealed that underlying MNGO/USD prices on various exchanges (FTX, Ascendex) encountered a 5-10x price increase in minutes. As a result, Switchboard and Pyth oracles updated their MNGO benchmark price to $0.15+. It further led to a mark-to-market rise in the value of the account that was long MNGO-PERP from the unrealized profit.
As reported, the alteration in the prices of MNGO/USD enabled the hacker’s account to borrow and withdraw BTC (skillet), USDT, SOL, mSOL, and USDC out of Mango protocol. The borrowed asset is from the $190 million equivalent deposit on the platform. Shortly after the attack, Mango freezes its program instructions to prevent users from transacting with the protocol. As of now, users cannot deposit or withdraw from the protocol. In addition, parties involved in the incident have communicated with the DAO on possible negotiations.
Additionally, Mango protocol clarified that Oracle providers has no fault in the attack. According to the protocol, the Oracle price report worked as it was programmed.