View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 12, 2022

Mango Markets crypto exchange loses $116m as regulators eye more DeFi rules

Mango Markets suffered a 'flash loan' attack late last night that saw it lose $116m.

By Claudia Glover

Cryptocurrency exchange Mango Markets lost $116m yesterday in an attack which saw the market manipulated. It is part of a spate of attacks on cryptocurrency platforms this month, with four registered in the last 24 hours alone. These actions would be illegal in traditional financial markets, and come as efforts are made to strengthen and standardise crypto regulation around the world, with financial markets that monitor the Financial Stability Board (FSB) releasing a new set of guidelines for governments earlier today.

Mango Markets attack
Mango Markets lost $116m in a cyberattack late last night. (Photo by Satheesh Sankaran/Shutterstock)

The Mango Markets platform was drained of $116m late last night. The attacker temporarily drove up the price of the platform’s coin, MNGO, allowing them to manipulate their collateral on the platform and obtain oversized loans from Mango’s treasury. It is reported the hacker initially opened an enormous futures position, an agreement to buy tokens at a future date and price, to increase the price of the token.

The price of MNGO shot up by around 1000% within minutes, elevating the collateral value of the hacker’s account. It has since fallen dramatically, and at the time of writing is valued at $0.02563, according to data by Coin Market Cap.

In a bizarre turn of events, the unnamed perpetrator has proposed governance changes which would see Mango Markets pay back bad debt within its protocol out of the exchange’s capital reserves. If the change is approved, the hacker says they will pay back stolen coins worth $50m, keeping the remaining $70m.

The vote on the proposal is held by the company’s host blockchain Solana, and closes on 14 October. The attacker has reportedly used their stolen MNGO coins to vote yes on the proposal.

Mango Markets and crypto manipulation

These types of attacks, where the price of a coin is manipulated to exploit quick, or “flash” loans, are increasingly common, and a report by blockchain security organisation Certik says that a total of $308m was lost across 27 flash loan attacks in the second quarter of 2022 alone, an enormous increase from $14m in Q1. 

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Hackers are not able to change data on a blockchain once it’s committed,” says Avivah Litan, VP and blockchain researcher at Gartner. “[But] they are able to manipulate processes that generate updates to the blockchain, assuming those processes are centralised.” 

A lack of regulation around flash loans leaves platforms like Mango Markets, and their customers, vulnerable. “Things like insider trading and market manipulation are illegal [in traditional financial markets],” says Grant Wyatt, COO at security company MIRACL. “This would have helped Mango Markets in this situation.”

In the UK, insider dealing and market manipulation are criminal offences under the 2012 Financial Services Act.

The Mango Markets attack is part of seven attacks this month and just four in the past 24 hours, according to Comparitech’s crypto-heist tracker.

So far this month, cryptocurrency hacks have seen almost $250m stolen, adding to an overall total of $2.53bn this year.   

DeFi platforms have become a focus for hackers because, where centralised exchanges have tightened up on security in recent years, DeFi platforms are still relatively new and therefore less robust, explains Rebecca Moody, research lead at Comparitech. 

“Where centralised exchanges are run by an entity that’s in control of user funds, DeFi platforms are essentially providing a platform for crypto users to trade between themselves,” Moody says.

Is more DeFi regulation on the way?

Regulation mimicking traditional financial markets would boost the security of the cryptocurrency landscape, argues Slava Demchuk, CEO and co-founder of crypto compliance company AMLBot. “Regulations that would help are technical standards for smart contracts that must be met and set up by the regulator and anti-money laundering and know your customer requirements for DeFi users,” he argues.

New rules are being developed in different markets to make DeFi safer for businesses and consumers. On Monday, the European Union’s MiCA legislation, which will provide a regulatory framework for crypto assets, was passed by the European Parliament’s economic and monetary affairs committee, and will now advance to a full vote by the European Parliament.

The US launched plans for a crypto regulatory framework last month, and earlier today the Financial Stability Board, which monitors the global financial system, proposed a series of recommendations to unify these regulatory approaches.

FSB recommendations include demanding greater levels of transparency from crypto platforms like Mango Markets. The organisation also says standard governance and risk management frameworks should be put in place to offer more security to users.

Read more: Can crypto save the planet?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.