"According to Lim, the hacker funded the main account (account A) and offered 483mm units of $MNGO perps on the order book. The attacker then funded a second account (account B) with 5mm $USDC collateral. Then, he/she used the funds to buy the 483mm units of $MNGO perps (at a price of $0.0382 per unit). The perpetrator’s actions made $MNGO’s spot market price, reaching as high as $0.91. $MNGO/USD price of $0.91 per unit, account B was in the money by 483mm times ($0.91 – $0.03298) = $423mm. That was enough unrealized P&L to take out a loan of $116mm across a bunch of tokens. This left mango and left the protocol at a deficit,” Lim stated."
Is this a "hack", or a legitimate financial transaction? Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down. Nobody would sell you a loan on something that had just had a giant change in price.
But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
Web3isgoinggreat[1] tracks total losses in the cryptocurrency sector. Their total counter just advanced to $11 billion.
> But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.
But I agree, this isn't a "hack" in the normal sense. It may be a "hack" in the broader, "clever use of a system against the desires of the designer" sense, but it doesn't seem like any security boundaries were bypassed, just that the attacker made the system perform, per its rules, in a way that had not been predicted. Not a bad haul... good luck cashing it out, though.
> The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.
As someone who's been at the butt end of banking regulation for almost two decades, I love that quote.
It used to annoy me to no end that crypto folk touted the lack of regulation, actually even the ability to regulate, as some revolutionary new feature, not realizing that in fact, they were just traveling back to the stone age of finance.
The vast majority of the tons of financial regulations that exist today serve to protect market participants, most notably your Average Joe. Average Joe claiming he doesn't need regulation just demonstrates their absolute cluelessness and is just another argument in favor of it.
The average Joe thinks the banking sector just runs checking accounts and credit cards…they have no clue how the rails of modern finance actually work.
This is how you end up with people comparing the energy usage of Bitcoin with that of the top 10 banks, as if they are remotely comparable.
> But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
If this platform doesn't have circuit breakers, it's simply because either they didn't think of it, they didn't think it was important, or they thought it was a bad idea.
There's nothing in crypto that clashes with the idea of a circuit breaker, it's completely orthogonal. And it shouldn't be too hard to code into the smart contract.
By the way I believe only some stock exchanges in the world have circuit breakers, it's not something as universal or required as you make it seem.
> only some stock exchanges in the world have circuit breakers
Most of the US ones do. Here's a list of recent NYSE and NASDAQ trading halts.[1] The London Stock Exchange has trading halts. Euronext has circuit breakers that trip on 8% - 10% changes. [2] The Tokyo stock exchange has trading halts, but doesn't use them often.[3] China's stock exchanges use trading halts too much.[4].
That covers the major markets. Who doesn't have some system to stop trading during big price swings?
Doesn't a circuit breaker imply human intervention? The point of DeFi is that you get some code running on a blockchain then release control. No central point of control. How this is going to work is beyond me. But without it a blockchain is just an expensive database.
A circuit breaker doesn't imply human intervention. U.S. regulations have three levels of a circuit breaker, which are set to halt trading when the S&P 500 Index drops 7%, 13%, and 20%. Circuit breakers for individual securities are triggered whether prices move up or down.
More of a financial exploit, but don't conflate popular crypto sentiment from Twitter with what's possible. There is no reason regulation is required to prevent this on a automatic protocol level - but no surprise in the DeFi space if preventing this type of exploit isn't an active area of development.
Many of the recent bridge hacks were easily preventable. Unfortunately when the dev himself is the hacker, no amount of active development would fix these issues
I'm not sure if this has much specific relation to the Mango hack, but you raise an interesting point mentioning the possibility of a developer hacking his own network (who would be more qualified to do so?) - my broader point is this: there is a lot of incentive to get these platforms up and running, and not always a lot to build them safely and even less to truly audit them.
Often the developers make their money up front - in a way that's all that has to be said for the diligence developers of these protocols might have across longer time scales.
People are so concerned with making a quick buck they forget about subtleties like developer token lock up, third party audits, patience in general. But that's how markets go - fast money is more valuable than slow money and the price you pay is risk.
What the average Joe need to know is that DeFi, while capable of producing huge gains, also comes with a lot of risk both market-wise and protocol safety-wise.
> What the average Joe need to know is that DeFi, while capable of producing huge gains, also comes with a lot of risk both market-wise and protocol safety-wise.
Gains have to come from somewhere. If they're not backed by something in the real world - say capital investment making some process more efficient or whatever - then the alternatives are that they're illusionary or backed by shenanigans.
Yes. Key concept. There were people in the crypto space who believed they'd invented financial perpetual motion. If you could run money through enough different transactions, you'd get a net gain without doing anything in the real world. That mostly went away when the entire crypto sector crashed. The "Line goes up" video[1] covers this mindset.
Regulating bodies are not capable of performing cyber-security protocol audits on emerging technology. 'Throwing regulation at the problem' is an embarrassing proposal that I'm sure many regulating bodies will pat you on the back for stanning.
Wash trading (under that term) is illegal, but I looked it up and the writing on it seems like it mainly applies to the context of creating higher volume, not price[1], and the latter is what the attacker used here. Margin lenders on conventional markets generally avoid this attack by incorporating volatility in their collateral requirements -- a recent rally in the price would mean higher volatility and thus more collateral required.
NB: This article is about the $115 million Mango Markets hack of a few days ago, not about the $127 million exploit of Binance's blockchain from last week or the $160 million Wintermute hack from last month or the $1.2 billion-with-a-'b' Acala hack from the month before, or...
Crypto being public might mean more hacks get reported whereas a 100 private businesses getting phished out of a million wont register even if the information is available to a reporter.
its a statement to focus on the system design of the organizations that got hacked instead of the asset/platform they happen to use, just like we do with non-crypto organizations
The platform that an organization uses is a critical piece of the design of an organization. If a bank gets hacked because they’re running Windows 95, would don’t turn around and absolve them of liability.
And if an organization uses an anonymous, immutable platform that makes it vulnerable to manipulation and theft, well then they deserve every bit of criticism.
Code is law working out real well over here. The code said that we should value MNGO at the current spot price, so that's what the code did, and poof went the entire network.
In the real world we have things like leverage ratios, anti-manipulation laws, circuit breakers, etc. Some of this is regulatory, and others are just things we figured out were good ideas many years ago.
I think there's a sense of hubris in the new code is law advocates. As a programmer, code is law scares me because I know code is nothing if not buggy, whereas law has real mechanisms where the case is presented in front of humans that generally speaking have reasonable thoughts. Yes law is flawed, judges can be biased, lawyers are expensive, but throwing all of that away in favour of code on the internet seems much worse.
Judges can issue injunctions that say "freeze everything until we sort it out in court", whereas code just runs whether you want it to or not. Courts can say "reverse all the transactions related to x", and blockchain is, by design, immutable.
Playing devil's advocate here, since I'm generally of your opinion: there is nothing that prevents more code being written covering more unintended uses of the technology, including injuctions and reversals. If at all, there is a hubris that complex problems can be solved with clean, minimal code and simple concepts. After all, when rendering their decisions, human courts are also solely refering to rules written before the fact (in my home country at least).
The problem is that a lot of these problems are only solvable within the network. Sure, if you steal a bunch of Ethereum, there could be a piece of code to reverse that theft under some conditions. But if you've cashed out, there's nothing the code will do. The code is only law within the tiny walled garden they've built. So not only do you have to improve the code, but you either need to prevent people leaving this walled garden so you can enforce your rules, or you create rules outside of the walled garden - which are called laws and the entire reason crypto exists was to evade those laws in the first place.
That's why these hacks are so often associated with Bridges - because the bridges are the locations where two different sets of rules are in force and you can exploit the difference between them.
> After all, when rendering their decisions, human courts are also solely refering to rules written before the fact (in my home country at least).
They don't though. Courts dream new meanings into existing laws, create new duties where none existed before, and while the extent to which they should do so is controversial, few serious people think they should avoid doing so entirely.
I agree with you, and IMHO that does not necessarily conflict with what I've written before. It's true that there is broad catch all logic at the top level of policies, and when deriving lower level decisions courts inherently create policy too. But I believe it's not completely unrealistic to have such functionality baked into a conflict resolution protocol for crypto as well. Although the decisions and policies it derives might not be explainable for humans.
Generally though, I use the arguments in this discussion the other way round: in convincing lawyers (German speaking lawyers that is) that the value of law is mostly in being readable by common people. And less in being unequivocal to courts. We have code for unambiguity, but in essence, code bears the same problems as complicated laws when communicating policy and what's socially accepted to society.
As far as I know this works very differently between Common Law and Continental Law, no? Common Law seems to be much more reliant on courts' decisions...
I'm being a bit facetious, but "we have bugs in our code, therefore we should write more code to prevent it" seems like the wrong direction to take :)
Yes, certainly we can write courts, injunctions, reversals, etc into code, but that's massively increasing the surface area for bugs. Oops, a hacker just injuncted the entire network and now the entire network is frozen.
Courts exist, to a certain extent, so that an impartial human can take a look at the situation and act according to thousands of pages of laws and hundreds of years of precedent. Humans are good at thinking like other humans, so we usually have pretty good intuition around what a judge will say and the limited possible outcomes from there, whereas the same really can't be said for computers.
Oops, robojudge just awarded all the money in the network to the hacker, too bad.
Yes and: Software bugs and law "bugs" are orthogonal. My hunch is their respective bugs don't cancel each other out, but rather the mismatch somehow makes each side worse.
FWIW, I recently read Seeing Like a State and am still trying to process what trying make society more legible (manageable) even means.
Hate to be that guy, but someone has to say it... In this case the code worked as expected and the "attacker" played within the rules of the game. Except they "won" too much. That's not supposed to happen.
"As expected" is doing a lot of lifting here. In some sense, this is true for all hacks. The code is just doing what you told it to do when it returns to some gadget in libc after the return address is smashed.
All exploits are making a program do what it says it does but where that behavior is different than what the developers hoped it would do.
Not quite. Per this other comment[1], there's a difference between correctness vs fitness for purpose. The code was correct -- if, previously you had walked through the logic of the attack with them, the coders would have said, "yep, that's what we want it to do -- lend that much, based on those oracles' prices".
They just didn't realize that there are dangers of using a price oracle for collateral valuation that has recently shown a sharp upward movement. (Which fals under "fitness for purpose".)
So the code correctly lent to someone at Mango's current valuation, it just didn't require the optimal-in-hindsight collateral ratio for such a volatile asset.
I think the really great thing about this hack, is this platform is governed by a DAO. Apparently, the person who pulled this heist ended up with enough governance tokens that they could propose something to do the DAO along the lines of "I'll send you a bit of money back if you say you won't call the cops" and was able to vote for it themselves with 32million votes. https://dao-beta.mango.markets/dao/MNGO/proposal/3WZ5DpZXDvN...
"Then, he/she used the funds to buy the 483mm units of $MNGO perps (at a price of $0.0382 per unit). The perpetrator’s actions made $MNGO’s spot market price, reaching as high as $0.91"
Is the second sentence sentence missing some words? Or is there something specific about Mango that makes this make sense? If 483mm units were bought for $0.0382 per unit (is that the average price, a fixed price?), why did the spot price suddenly increase 30x, was there that big of a spread in the order book? Also how does that add up to $5mm USDC? Isn't $0.0382 x 483mm = $18.4506mm?
First question: yes, the missing part is that the attacker also had to buy a bunch of spot mango tokens on centralized exchanges to drive the price up after establishing the large position.
Second question: Mango Markets lets you trade perpetual futures with leverage, so you don't need collateral equal to the notional value of the contracts you buy.
User acquires an/a set of in perpetuity futures contracts. (A future without an expiry date, effectively, what? A pin I guess?) Idea being, this order indicates intent to swap at volume $MNGO to $USDC at $RATE.
Centralized exchanges sees the futures order, and starts cranking up the price of $MNGO due to the increased interest in swapping based on the presence of the Futures.
The Futures contracts are leveraged, but require no collateral, because there is no expiry date on the Future (no intended date of delivery).
So the order volume (spot token purchases) induced upward price movement and... What? Caused other uninvolved investors to buy his acquired tokens at a peak, and he just takes the money and cashes out never intending to actually honor or settle up the perps, which won't margin call, because they're still "good" but will never mature? I'm failing to see an exfil path for ill-gotten gains/financial chicanery beyond the seemingly obvious wash trading.
If anyone can help detangle this, I'd be much obliged. This kind of market weirdness is interesting, but inscrutable at times, when there's usually like 6 pieces of networked jargon needed to render something that doesn't tend to line up to anything tangible in the conventional sense.
> User acquires an/a set of in perpetuity futures contracts. (A future without an expiry date, effectively, what? A pin I guess?) Idea being, this order indicates intent to swap at volume $MNGO to $USDC at $RATE.
No, a perpetual future is like a basket of daily futures that roll over automatically when they expire. Also, an order is different from a position. The user acquired a long position in one account and a short position in another.
> Centralized exchanges sees the futures order, and starts cranking up the price of $MNGO due to the increased interest in swapping based on the presence of the Futures.
No, the activity on the Mango DEX had no impact on the price of MNGO on centralized exchanges. The user had to separately buy a bunch of MNGO on centralized exchanges to manipulate the price.
> The Futures contracts are leveraged, but require no collateral, because there is no expiry date on the Future (no intended date of delivery).
They require collateral. That's why the user had to send $5mm to each of the two accounts they used at the Mango DEX as the first step of the attack.
> So the order volume (spot token purchases) induced upward price movement and... What? Caused other uninvolved investors to buy his acquired tokens at a peak, and he just takes the money and cashes out never intending to actually honor or settle up the perps, which won't margin call, because they're still "good" but will never mature? I'm failing to see an exfil path for ill-gotten gains/financial chicanery beyond the seemingly obvious wash trading.
The user could withdraw dollars from Mango because their long MNGO-PERP position was in profit.
The entire cryptocurrency hype machine is predicated upon quoting market capitalization based on instantaneous spot prices. Nobody thinks about liquidity until it's gone.
the people that don't architect their systems for oracle manipulations?
the way people talk around here reminds me of people in the 90s ‘that dun undastand dem puters with their viruses”, interestingly the folly and new problems presented by computers never went away, consumer and developer behavior improved
The usual way to fix this sort of thing is with a human-in-the-loop retroactive fix process. But that's called "regulation" and "lawsuits", and the cryptocoin crowd trends to not like those.
Every time I have dis'd crypto in comments on HN they always loose karma. This is the first discussion with people that agree with me. I have found my tribe:)
From what I'm seeing here, all the individual things that were done _were_ correct. It just so happens that the system was setup with rules that allow for this type of thing. A probably correct program would not have helped here.
The problem is that you can't predict ahead of time every use case.
That's why today's financial system has the ability to manually revert back to a previous state if something gets wrong e.g. undo transactions, government bailouts etc.
Hey Matt! There is some interesting work done in this area. For example https://reach.sh/ lets you write formally verified smart contracts.
I guess this is helpful with some classes of bugs. But I'm not sure it would with most. For example it is unclear if it would have caught this problem since (from the vague description!) it appears it would have needed some economic modelling to catch.
A lot of people seem to think that this was an inside job. I’m getting tired of this. So much money has been siphoned away from the market it’s not funny anymore.
Is this a "hack", or a legitimate financial transaction? Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down. Nobody would sell you a loan on something that had just had a giant change in price. But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
Web3isgoinggreat[1] tracks total losses in the cryptocurrency sector. Their total counter just advanced to $11 billion.
[1] https://web3isgoinggreat.com/