Crypto Attack Swipes $100 Million From DeFi Service Mango; This Is How It Was Done

tech.hindustantimes.com:

An attacker spirited away about $100 million from decentralized finance provider Mango by manipulating the price of its token in an exploit that wiped out depositors on the crypto platform.

The heist began with two accounts funded with the stablecoin USD Coin, the platform said Wednesday on Twitter. The accounts took large positions in Mango perpetual futures, causing the price of the Mango token to spike.

The price jump stoked an unrealized profit from the futures. The attacker used that to borrow and withdraw roughly a net $100 million from the protocol in a range of tokens -- leaving depositors with nothing, according to Mango.

“This incident has effectively resulted in a total draining of all equity available,” the platform said on Twitter, adding the attackers are communicating with Mango and “indicating a willingness to negotiate.”

The exploit, which follows a spate of multimillion-dollar hacks of DeFi protocols in past months, sheds light on some of the security weaknesses of decentralized exchanges. At so-called DEXs, software essentially enables crypto traders to transact directly with each other without an intermediary.

This differs from centralized exchanges -- CEXs in industry argot -- which are run by a central entity that has custody of user funds.

“Despite their potential, DEXs are still immature in terms of their evolution and come with their own set of security risks,” said Hirander Misra, chief executive of GMEX Group. “There are over a hundred public blockchains, each with their own ways of doing things, meaning no effective agreed standards and given their decentralized nature, no regulation and investor protection.”

The Mango incident is “a price manipulation attack” that took advantage of the ability to