Mango Markets Mangled by Oracle Manipulation for $112M

The attacker who saddled the Solana-based DeFi-protocol with bad debt wants to cut a deal

by Sebastian Sinclair&Macauley Peterson /
article-image

Source: Shutterstock

share
  • Mango is currently investigating an exploit of the oracle price feeds for its own governance token
  • The hacker responsible is asking DAO members to vote on a proposal that would return a portion of the stolen funds

Mango Markets, a decentralized finance trading platform on the Solana blockchain, said Tuesday it was investigating a hack worth approximately $112 million in digital assets.

Mango said the hacker was able to drain funds from its platform utilizing a technique known as oracle price manipulation — a form of economic attack that has hit other DeFi protocols before.

The actor managed to withdraw various digital assets — mostly stablecoins, including $53.7 million in USD Coin (USDC) and $3.2 million in tether (USDT) — but also solana (SOL).

In an unusual twist, they’re proposing to return a portion of the stolen funds, namely Marinade-staked solana (MSOL), native SOL and the platform’s own MNGO governance token. The rest the culprit claims as a “bounty.”

That is, of course, if Mango’s DAO community votes yes on the thief’s proposal.

“By voting for this proposal, mango token holders agree to pay this bounty and pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above,” the attacker wrote on the protocol’s governance forum.

The hacker is requesting Mango use its treasury stash of 70 million USDC to repay “bad debt.” This debt derives from an incident in June when the Mango community teamed up with another Solana-based lending and borrowing protocol, Solend, to deal with a systemic risk caused by a single large borrower, at risk of liquidation, that put the entire Solana DeFi ecosystem in jeopardy.

Newsletter

Subscribe to The Breakdown

The Mango DAO, or stewards of the protocol, should also not pursue any criminal investigations or freeze the attacker’s funds — via centralized stablecoins such as USDC and USDT — once the cryptoassets are returned.

But not all the assets will be returned; while a definitive amount for the bounty was not given, it can be assumed from the tokens omitted from the initial hack that the attacker is requesting to keep well over half of what they stole — substantially more than most “white hat” hackers or bug bounty hunters typically receive.

Still, Mango DAO members have so far voted in favor of the hacker’s proposal, with a 99.9% “yes” rate from roughly 33 million MNGO tokens — although just a single wallet address is responsible for the lion’s share of the vote. As DAOs go, this one is extremely centralized, with most governance votes being decided by just a handful of addresses.

The top voters holding the bulk of MNGO tokens | Source: Mango governance vote

A further 67 million yes votes are required for the proposal to pass a quorum threshold during the three-day voting period.

Price oracle manipulation

While the consultation and investigation continue, the platform’s stewards have requested users to cease depositing assets until the situation becomes clearer.

Dapps such as Mango rely on oracles to pull on-chain data for specific tokens. Manipulation occurs when protocols such as data feeds are corrupted, allowing transactions that were not intended.

In the case of Mango, the attacker was able to manipulate their collateral value via the platform before taking out “massive loans” totaling $112,199,876 from Mango’s treasury, security auditing firm OtterSec reported on Twitter.

OtterSec founder Robert Chen confirmed the figure to Blockworks who said the price manipulation was suspected to have occurred on centralized exchanges which Mango used to reference the value of the collateral.

MNGO’s price briefly spiked about 300% to $0.15 in the space of 10 minutes on the FTX exchange, then dropped 88% to under $0.02 following the attack.

The MNGO/USD market on FTX, 1-minute time frame | Source: TradingView

Solana developer Tom Geshury was credited with being the first to bring the hack to the security auditing firm’s attention.

Geshury told Blockworks the hacker used $10 million to self-trade Mango perpetual contracts and then an estimated $3 million to pump the price of MNGO and execute the plan, before market participants got wind of the scheme and began dumping their tokens.

Mango Markets is an interface to margin trade on the Serum DEX, which is backed by the crypto arm of trading giant Jump Capital. Jump Crypto’s president Kanav Kariya also confirmed the mechanism at play in the exploit.

Loading Tweet..

Mango has released a statement saying it is taking steps to have third parties freeze funds in flight.

“We will be disabling deposits on the front end as a precaution and will keep you updated as the situation evolves,” the group said via Twitter.

Blockworks attempted to contact several admins on the Mango Discord channel but was unsuccessful.

A number of protocols have been hit by such attacks this year alone, including DeFi platform Inverse Finance for $5.8 million in June and stablecoin lending platform Fortress Protocol for $3 million in May.

The attack against Mango comes less than a week after Binance’s own network, BNB Chain, was targeted for hundreds of millions of dollars via a cross-chain bridge exploit. The amount stolen was contained to about $100 million.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2026

Javits Center North | 445 11th Ave

Tues - Thurs, March 24 - 26, 2026

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Flying_Tulip.png

Research

Flying Tulip: Principal Protection at a Valuation Premium

Flying Tulip's perpetual put option provides real principal protection, but investors must pay a valuation premium today for products that have to be built over the next 24 months. This structure works best as a stablecoin substitute where the put allows continuous monitoring—accept opportunity cost in exchange for asymmetric upside if the team executes on its ambitious cross-collateral architecture.

by Daniel Shapiro

/

news

article-image

0xResearch NewsletterMarkets

When the easy trades disappear

As flows consolidate and volatility fades, finding edge now means knowing which games are still worth playing

by Kunal Doshi&Shaunda Devens /
article-image

DeFiEmpire Newsletter

Value distribution to token holders returns to all-time high: 1kx report

Value distribution came to $1.9 billion distributed in Q3, though total revenues have yet to beat 2021 heights

by David Canellis /
article-image

0xResearch NewsletterFinance

Stablecoins step into the remittance game

MegaETH public sale auction ends tomorrow, and the free money machine has attracted people who like free money

by Marc Arjoon&Boccaccio /
article-image

DeFi

Acre’s 14% bitcoin yield leans on Ethereum DeFi

With tBTC under the hood, Acre abstracts bridging and converts non-BTC rewards to bitcoin

by Macauley Peterson /
article-image

Business

Pantera leads $7.5M round for Accountable: Exclusive

Accountable is also eyeing mid-November for mainnet launch

by Katherine Ross /
article-image

Forward Guidance NewsletterMarkets

Inside Bitwise’s milestone solana ETF launch

“Adjusted for size, I think it may be the most successful ETP launch of all time,” Bitwise CIO Matt Hougan says

by Ben Strack /