Mango Madness: Exploiter Could Walk Away With Unparalleled ~$50M Bug Bounty
Forget March Madness, Mango Madness is in season this time of year. The Solana-based lending protocol has been a spectacle unlike any other throughout this week, and that’s certainly saying something considering the amount of antics crypto brings to the table on frequent occasion. Since our first covering of Mango’s exploit that led to a full-fledged drain of the protocol, things have only gotten more twisted and convoluted.
Let’s take a look at how things have developed this week and where things go for Mango Markets moving forward.
A Mango Monstrosity
Mango’s exploiter has generally been seen in the crypto community as less “hacker” and more “manipulator,” if we’re being frank. Regardless, things got interesting after Tuesday’s exploit when the attacker initiated a governance proposal; that proposal is said to have closed. However, a subsequently-created proposal by Mango Markets (which has now passed, as of Saturday morning) is phrased as a bug bounty to make users whole, but it settles Mango with just shy of $70M of their existing $114M balance. That leaves the exploiter with a nearly $50M ‘bug bounty,’ a strikingly large number compared to any previous bug bounty in crypto and one that has led to a large degree of criticism (look no further than the governance proposal’s comment section for evidence of this).
The exploiter quickly deployed the MNGO tokens that they seized (roughly 30M tokens) to vote in favor of their own initial proposal, but did not seem to vote on the subsequent and closing proposal – which nonetheless closed at a tally of 473M in favor and 16.6M against. The exploiter has seemingly gained protection through the proposal as well, as the protocol “will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described,” according to the proposal’s language.
It’s hard to say where we go from here, and what degree of protection that attacker will actually see. The exploiter has reportedly funded attacking accounts with an FTX wallet, and their degree of protection is up for speculation.
Regardless, even when you deduct the initial $10M balance that the exploiter introduced into Mango, the protocol is generally giving up a heftier sum then usually seen in these scenarios – one of the largest in crypto’s history, in fact. We’ll see if the protocol can keep the heartbeat alive and shut down critics in the long run.Source