[Animats]

"According to Lim, the hacker funded the main account (account A) and offered 483mm units of $MNGO perps on the order book. The attacker then funded a second account (account B) with 5mm $USDC collateral. Then, he/she used the funds to buy the 483mm units of $MNGO perps (at a price of $0.0382 per unit). The perpetrator’s actions made $MNGO’s spot market price, reaching as high as $0.91. $MNGO/USD price of $0.91 per unit, account B was in the money by 483mm times ($0.91 – $0.03298) = $423mm. That was enough unrealized P&L to take out a loan of $116mm across a bunch of tokens. This left mango and left the protocol at a deficit,” Lim stated."

Is this a "hack", or a legitimate financial transaction? Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down. Nobody would sell you a loan on something that had just had a giant change in price. But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.

Web3isgoinggreat[1] tracks total losses in the cryptocurrency sector. Their total counter just advanced to $11 billion.

[1] https://web3isgoinggreat.com/

[Syonyk]

> But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.

The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.

But I agree, this isn't a "hack" in the normal sense. It may be a "hack" in the broader, "clever use of a system against the desires of the designer" sense, but it doesn't seem like any security boundaries were bypassed, just that the attacker made the system perform, per its rules, in a way that had not been predicted. Not a bad haul... good luck cashing it out, though.

[ckastner]

> The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.

As someone who's been at the butt end of banking regulation for almost two decades, I love that quote.

It used to annoy me to no end that crypto folk touted the lack of regulation, actually even the ability to regulate, as some revolutionary new feature, not realizing that in fact, they were just traveling back to the stone age of finance.

The vast majority of the tons of financial regulations that exist today serve to protect market participants, most notably your Average Joe. Average Joe claiming he doesn't need regulation just demonstrates their absolute cluelessness and is just another argument in favor of it.

[qeternity]

The average Joe thinks the banking sector just runs checking accounts and credit cards…they have no clue how the rails of modern finance actually work.

This is how you end up with people comparing the energy usage of Bitcoin with that of the top 10 banks, as if they are remotely comparable.

[redox99]

> But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.

If this platform doesn't have circuit breakers, it's simply because either they didn't think of it, they didn't think it was important, or they thought it was a bad idea.

There's nothing in crypto that clashes with the idea of a circuit breaker, it's completely orthogonal. And it shouldn't be too hard to code into the smart contract.

By the way I believe only some stock exchanges in the world have circuit breakers, it's not something as universal or required as you make it seem.

[Animats]

> only some stock exchanges in the world have circuit breakers

Most of the US ones do. Here's a list of recent NYSE and NASDAQ trading halts.[1] The London Stock Exchange has trading halts. Euronext has circuit breakers that trip on 8% - 10% changes. [2] The Tokyo stock exchange has trading halts, but doesn't use them often.[3] China's stock exchanges use trading halts too much.[4].

That covers the major markets. Who doesn't have some system to stop trading during big price swings?

[1] https://www.nyse.com/trade-halt-current

[2] https://www.euronext.com/en/news/trading-safeguards-euronext...

[3] https://www.jpx.co.jp/english/markets/derivatives/suspended/

[4] https://www.scmp.com/business/china-business/article/2174454...

[audleman]

Doesn't a circuit breaker imply human intervention? The point of DeFi is that you get some code running on a blockchain then release control. No central point of control. How this is going to work is beyond me. But without it a blockchain is just an expensive database.

[goldenkey]

A circuit breaker doesn't imply human intervention. U.S. regulations have three levels of a circuit breaker, which are set to halt trading when the S&P 500 Index drops 7%, 13%, and 20%. Circuit breakers for individual securities are triggered whether prices move up or down.

[mattwilsonn888]

More of a financial exploit, but don't conflate popular crypto sentiment from Twitter with what's possible. There is no reason regulation is required to prevent this on a automatic protocol level - but no surprise in the DeFi space if preventing this type of exploit isn't an active area of development.

[cuteboy19]

Many of the recent bridge hacks were easily preventable. Unfortunately when the dev himself is the hacker, no amount of active development would fix these issues

[mattwilsonn888]

I'm not sure if this has much specific relation to the Mango hack, but you raise an interesting point mentioning the possibility of a developer hacking his own network (who would be more qualified to do so?) - my broader point is this: there is a lot of incentive to get these platforms up and running, and not always a lot to build them safely and even less to truly audit them.

Often the developers make their money up front - in a way that's all that has to be said for the diligence developers of these protocols might have across longer time scales.

People are so concerned with making a quick buck they forget about subtleties like developer token lock up, third party audits, patience in general. But that's how markets go - fast money is more valuable than slow money and the price you pay is risk.

What the average Joe need to know is that DeFi, while capable of producing huge gains, also comes with a lot of risk both market-wise and protocol safety-wise.

[tbrownaw]

> What the average Joe need to know is that DeFi, while capable of producing huge gains, also comes with a lot of risk both market-wise and protocol safety-wise.

Gains have to come from somewhere. If they're not backed by something in the real world - say capital investment making some process more efficient or whatever - then the alternatives are that they're illusionary or backed by shenanigans.

[Animats]

> Gains have to come from somewhere.

Yes. Key concept. There were people in the crypto space who believed they'd invented financial perpetual motion. If you could run money through enough different transactions, you'd get a net gain without doing anything in the real world. That mostly went away when the entire crypto sector crashed. The "Line goes up" video[1] covers this mindset.

[1] https://www.youtube.com/watch?v=YQ_xWvX1n9g

[TheSpiceIsLife]

Sounds like what the space needs is regulation...

You know, to provide assurance that automated protocols are written strongly, and legal recourse against bad actors.

[mattwilsonn888]

Regulating bodies are not capable of performing cyber-security protocol audits on emerging technology. 'Throwing regulation at the problem' is an embarrassing proposal that I'm sure many regulating bodies will pat you on the back for stanning.

[TheSpiceIsLife]

Like we have chemical analogue laws that prohibit new drugs that are similar to existing drugs, we could have financial services / product analogue laws that prohibit bullshit like this, that enables regulators / LE to prosecute bad actors.

I'm not suggesting that we ought prohibit innovation, and I'd prefer we tax and regulate drugs too, and laws don't prevent bad actors, but we should be able to go after and exact retribution upon those whom intentionally break the rules.

[adrianN]

But regulating bodies could require adequate insurance against losses from hacking.

[strangattractor]

Regulations are for people that are not Peter Thiel.

[wmf]

That's what auditing is for.

[leereeves]

> The perpetrator’s actions made $MNGO’s spot market price, reaching as high as $0.91.

If the "perpetrator" sold 483mm units on one account and bought 483mm units on another account, why did the market price rise so much?

[anonymoushn]

they separately bought a bunch of tokens on centralized exchanges to manipulate the price of the derivatives

[hef19898]

Which, also based on the parent, sounds like a pretty smart exploit, doesn't it?

[airza]

It is a wash trade, which is illegal in a regulated market.

[SilasX]

Wash trading (under that term) is illegal, but I looked it up and the writing on it seems like it mainly applies to the context of creating higher volume, not price[1], and the latter is what the attacker used here. Margin lenders on conventional markets generally avoid this attack by incorporating volatility in their collateral requirements -- a recent rally in the price would mean higher volatility and thus more collateral required.

[1] https://en.wikipedia.org/wiki/Wash_trade

https://www.investopedia.com/terms/w/washtrading.asp

[NotYourLawyer]

Market manipulation.

[theptip]

AKA “not a legitimate transaction”.

[bdcravens]

If the protocol allows it, it's legitimate. Welcome to the future of money.

[vkou]

> Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down.

Because the attacker owns both wallets, this is called a wash trade, which is something that has been illegal for over 80 years.

[parkingrift]

…in regulated markets.

[bdcravens]

As if wash trades aren't rampant on crypto exchanges. I suspect crypto exchanges are using wash trades to prop up the entire house of cards.