The community of decentralized-finance application Mango DAO on Saturday got back a portion of about $100 million stolen this week after letting the hacker keep about $50 million of the funds.
The settlement wraps up several days of tense negotiations between the hacker and Mango, which is governed by its community of token holders who vote on any changes. Soon after the theft, the hacker posted a proposal in the app’s governance forum asking for bad debts on the platform to be erased – a deal that was not approved by the majority of Mango token holders even after the hacker voted for it with some of the stolen tokens.
The Mango team then posted a counter proposal, offering to let the hacker keep around $50 million for the return of the rest of the funds while promising no criminal prosecution and to erase the bad debt.
“We just got notice of the funds being returned,” Maximilian Schneider of Mango said in a Discord message to Bloomberg on Saturday. Community members are expected to meet to discuss how to refund the returned $67 million to users, with votes on the plans taking place next week, according to Mango’s Twitter.
In a series of tweets Saturday, an individual took responsibility for the hack, saying he was “involved with a team that operated a highly profitable trading strategy last week” on Mango.
“I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are,” according to the account who claims to be Avraham Eisenberg.
When reached on Twitter, the user didn’t immediately provide evidence of his identity. Mango’s Schneider pointed to the Tweet as coming from the hacker, saying he disagreed that the actions were legal.
The payout is likely one of the biggest ever to a hacker. More than a year ago, PolyNetwork offered an attacker who drained $610 million from the platform a job and a bounty for returning the funds, which were eventually reimbursed. Bounties can run into millions – but they are typically offered to coders who point out vulnerabilities, not to hackers who steal funds.
“This is a clear failure of secure governance,” said Michael Lewellen, head of solutions architecture at crypto security provider OpenZeppelin. “If an attacker can steal enough tokens to vote themselves a reward, it sends a signal that DAOs can be hacked successfully using stolen tokens to avoid repercussions. This signals the need for better governance security that accounts for malicious token voters.”
In the Mango heist, two accounts funded with the stablecoin USD Coin took large positions in Mango perpetual futures, causing the price of the Mango token to spike. The price jump stoked an unrealized profit from the futures. The attacker used that to borrow and withdraw about $100 million, leaving depositors with nothing.
The hacker stole more than 10% of all value locked on the Solana blockchain that Mango is based on, according to DeFi Llama. Just how much the hacker will profit from the hack is unclear, as the attacker invested millions into executing the attack.
Hacks in crypto are common, with at least $718 million stolen so far in October alone, taking the gross tally for the year past $3 billion and putting 2022 on course to be a record for the total value hacked, according to blockchain specialist Chainalysis Inc.