Mango Hacker Uses Stolen Funds to Pit Community Against Developers

The hacker behind the $100 million breach of the Mango Markets platform appears to have voted for their own solution for returning the stolen funds, using the same governance tokens taken in the hack.

A person claiming responsibility for the attack told members of the project’s decentralized autonomous organization (DAO) that they will return the majority of the loot if the community agrees to repay bad debt that was taken during a June operation to save a different Solana project called Solend.

Mango Markets is a Solana-based decentralized exchange (DEX). It is governed by a DAO made up of holders of its native token, MNGO.

The hacker cast almost 33 million votes in favor of the proposal, giving it a current approval rating of 99.9%.

The tokens used to vote “yay” were held by the same account as the one associated with the hacker, suggesting that they were pilfered in yesterday’s exploit.

But with voting set to end on Friday, another 67 million “yes” votes are still needed to make the result quorate.

Whether the result will have any legitimacy given the way it has been reached remains to be seen.

Meeting Mango hacker’s demands

The proposer’s demands revolve around bad debt that resulted from a bailout executed by Mango Markets and fellow Solana platform Solend in June. 

The package was put together at the time for a whale in the Solend system whose hefty loans threatened to destabilize or even topple Solana.

At one point during the crisis, the whale had borrowed 88% of all available USDC on Solend. Some $25 million worth of debt was then moved across to Mango Markets, alleviating the pressure on Solend’s liquidity.

The proposer now wants Mango to use the 70 million USDC in its treasury to pay off this bad debt created in June.

“If this proposal passes, I will send the MSOL, SOL, and MNGO in this account to an address announced by the Mango team,” they wrote on the project’s Realms page. 

Realms is a governance tool for DAOs that lets them coordinate votes and allocate treasury funds.

“The Mango treasury will be used to cover any remaining bad debt in the protocol, and all users without bad debt will be made whole. Any bad debt will be viewed as a bug bounty / insurance, paid out of the mango insurance fund,” the proposal continues.

Mango’s co-founder Dafydd “Daffy” Durairaj said in a reply to the Realms post, which he confirmed was written by him by retweeting it on Twitter, that the team was “working through tallying the losses and limiting losses wherever we can.”

While he could not give a concrete proposal, he said clearing the hacker of any wrongdoing and ensuring they made a healthy profit were his top objectives. These were followed by aiming to make all Mango depositors whole, and finally maintaining some funds in the Mango DAO treasury.

Durairaj also tweeted on Wednesday that he would do “everything in my power” to recover depositors’ funds.