"According to Lim, the hacker funded the main account (account A) and offered 483mm units of $MNGO perps on the order book. The attacker then funded a second account (account B) with 5mm $USDC collateral. Then, he/she used the funds to buy the 483mm units of $MNGO perps (at a price of $0.0382 per unit). The perpetrator’s actions made $MNGO’s spot market price, reaching as high as $0.91. $MNGO/USD price of $0.91 per unit, account B was in the money by 483mm times ($0.91 – $0.03298) = $423mm. That was enough unrealized P&L to take out a loan of $116mm across a bunch of tokens. This left mango and left the protocol at a deficit,” Lim stated."
Is this a "hack", or a legitimate financial transaction? Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down. Nobody would sell you a loan on something that had just had a giant change in price.
But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
Web3isgoinggreat[1] tracks total losses in the cryptocurrency sector. Their total counter just advanced to $11 billion.
> But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.
But I agree, this isn't a "hack" in the normal sense. It may be a "hack" in the broader, "clever use of a system against the desires of the designer" sense, but it doesn't seem like any security boundaries were bypassed, just that the attacker made the system perform, per its rules, in a way that had not been predicted. Not a bad haul... good luck cashing it out, though.
> But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
If this platform doesn't have circuit breakers, it's simply because either they didn't think of it, they didn't think it was important, or they thought it was a bad idea.
There's nothing in crypto that clashes with the idea of a circuit breaker, it's completely orthogonal. And it shouldn't be too hard to code into the smart contract.
By the way I believe only some stock exchanges in the world have circuit breakers, it's not something as universal or required as you make it seem.
More of a financial exploit, but don't conflate popular crypto sentiment from Twitter with what's possible. There is no reason regulation is required to prevent this on a automatic protocol level - but no surprise in the DeFi space if preventing this type of exploit isn't an active area of development.
NB: This article is about the $115 million Mango Markets hack of a few days ago, not about the $127 million exploit of Binance's blockchain from last week or the $160 million Wintermute hack from last month or the $1.2 billion-with-a-'b' Acala hack from the month before, or...
Crypto being public might mean more hacks get reported whereas a 100 private businesses getting phished out of a million wont register even if the information is available to a reporter.
Code is law working out real well over here. The code said that we should value MNGO at the current spot price, so that's what the code did, and poof went the entire network.
In the real world we have things like leverage ratios, anti-manipulation laws, circuit breakers, etc. Some of this is regulatory, and others are just things we figured out were good ideas many years ago.
I think there's a sense of hubris in the new code is law advocates. As a programmer, code is law scares me because I know code is nothing if not buggy, whereas law has real mechanisms where the case is presented in front of humans that generally speaking have reasonable thoughts. Yes law is flawed, judges can be biased, lawyers are expensive, but throwing all of that away in favour of code on the internet seems much worse.
Judges can issue injunctions that say "freeze everything until we sort it out in court", whereas code just runs whether you want it to or not. Courts can say "reverse all the transactions related to x", and blockchain is, by design, immutable.
Playing devil's advocate here, since I'm generally of your opinion: there is nothing that prevents more code being written covering more unintended uses of the technology, including injuctions and reversals. If at all, there is a hubris that complex problems can be solved with clean, minimal code and simple concepts. After all, when rendering their decisions, human courts are also solely refering to rules written before the fact (in my home country at least).
Yes and: Software bugs and law "bugs" are orthogonal. My hunch is their respective bugs don't cancel each other out, but rather the mismatch somehow makes each side worse.
FWIW, I recently read Seeing Like a State and am still trying to process what trying make society more legible (manageable) even means.
Hate to be that guy, but someone has to say it... In this case the code worked as expected and the "attacker" played within the rules of the game. Except they "won" too much. That's not supposed to happen.
"As expected" is doing a lot of lifting here. In some sense, this is true for all hacks. The code is just doing what you told it to do when it returns to some gadget in libc after the return address is smashed.
All exploits are making a program do what it says it does but where that behavior is different than what the developers hoped it would do.
I think the really great thing about this hack, is this platform is governed by a DAO. Apparently, the person who pulled this heist ended up with enough governance tokens that they could propose something to do the DAO along the lines of "I'll send you a bit of money back if you say you won't call the cops" and was able to vote for it themselves with 32million votes. https://dao-beta.mango.markets/dao/MNGO/proposal/3WZ5DpZXDvN...
"Then, he/she used the funds to buy the 483mm units of $MNGO perps (at a price of $0.0382 per unit). The perpetrator’s actions made $MNGO’s spot market price, reaching as high as $0.91"
Is the second sentence sentence missing some words? Or is there something specific about Mango that makes this make sense? If 483mm units were bought for $0.0382 per unit (is that the average price, a fixed price?), why did the spot price suddenly increase 30x, was there that big of a spread in the order book? Also how does that add up to $5mm USDC? Isn't $0.0382 x 483mm = $18.4506mm?
First question: yes, the missing part is that the attacker also had to buy a bunch of spot mango tokens on centralized exchanges to drive the price up after establishing the large position.
Second question: Mango Markets lets you trade perpetual futures with leverage, so you don't need collateral equal to the notional value of the contracts you buy.
The entire cryptocurrency hype machine is predicated upon quoting market capitalization based on instantaneous spot prices. Nobody thinks about liquidity until it's gone.
the people that don't architect their systems for oracle manipulations?
the way people talk around here reminds me of people in the 90s ‘that dun undastand dem puters with their viruses”, interestingly the folly and new problems presented by computers never went away, consumer and developer behavior improved
The usual way to fix this sort of thing is with a human-in-the-loop retroactive fix process. But that's called "regulation" and "lawsuits", and the cryptocoin crowd trends to not like those.
Every time I have dis'd crypto in comments on HN they always loose karma. This is the first discussion with people that agree with me. I have found my tribe:)
From what I'm seeing here, all the individual things that were done _were_ correct. It just so happens that the system was setup with rules that allow for this type of thing. A probably correct program would not have helped here.
The problem is that you can't predict ahead of time every use case.
That's why today's financial system has the ability to manually revert back to a previous state if something gets wrong e.g. undo transactions, government bailouts etc.
Hey Matt! There is some interesting work done in this area. For example https://reach.sh/ lets you write formally verified smart contracts.
I guess this is helpful with some classes of bugs. But I'm not sure it would with most. For example it is unclear if it would have caught this problem since (from the vague description!) it appears it would have needed some economic modelling to catch.
[+] [-] Animats|3 years ago|reply
Is this a "hack", or a legitimate financial transaction? Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down. Nobody would sell you a loan on something that had just had a giant change in price. But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
Web3isgoinggreat[1] tracks total losses in the cryptocurrency sector. Their total counter just advanced to $11 billion.
[1] https://web3isgoinggreat.com/
[+] [-] Syonyk|3 years ago|reply
The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.
But I agree, this isn't a "hack" in the normal sense. It may be a "hack" in the broader, "clever use of a system against the desires of the designer" sense, but it doesn't seem like any security boundaries were bypassed, just that the attacker made the system perform, per its rules, in a way that had not been predicted. Not a bad haul... good luck cashing it out, though.
[+] [-] redox99|3 years ago|reply
If this platform doesn't have circuit breakers, it's simply because either they didn't think of it, they didn't think it was important, or they thought it was a bad idea.
There's nothing in crypto that clashes with the idea of a circuit breaker, it's completely orthogonal. And it shouldn't be too hard to code into the smart contract.
By the way I believe only some stock exchanges in the world have circuit breakers, it's not something as universal or required as you make it seem.
[+] [-] mattwilsonn888|3 years ago|reply
[+] [-] leereeves|3 years ago|reply
If the "perpetrator" sold 483mm units on one account and bought 483mm units on another account, why did the market price rise so much?
[+] [-] airza|3 years ago|reply
[+] [-] NotYourLawyer|3 years ago|reply
[+] [-] vkou|3 years ago|reply
Because the attacker owns both wallets, this is called a wash trade, which is something that has been illegal for over 80 years.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] mewse|3 years ago|reply
[+] [-] quickthrower2|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] anonymoushn|3 years ago|reply
[+] [-] cowtools|3 years ago|reply
[+] [-] e63f67dd-065b|3 years ago|reply
In the real world we have things like leverage ratios, anti-manipulation laws, circuit breakers, etc. Some of this is regulatory, and others are just things we figured out were good ideas many years ago.
I think there's a sense of hubris in the new code is law advocates. As a programmer, code is law scares me because I know code is nothing if not buggy, whereas law has real mechanisms where the case is presented in front of humans that generally speaking have reasonable thoughts. Yes law is flawed, judges can be biased, lawyers are expensive, but throwing all of that away in favour of code on the internet seems much worse.
Judges can issue injunctions that say "freeze everything until we sort it out in court", whereas code just runs whether you want it to or not. Courts can say "reverse all the transactions related to x", and blockchain is, by design, immutable.
[+] [-] groestl|3 years ago|reply
[+] [-] specialist|3 years ago|reply
FWIW, I recently read Seeing Like a State and am still trying to process what trying make society more legible (manageable) even means.
[+] [-] bouncycastle|3 years ago|reply
[+] [-] quickthrower2|3 years ago|reply
Obtaining someone elses tokens because code had flaw = Hack
[+] [-] UncleMeat|3 years ago|reply
All exploits are making a program do what it says it does but where that behavior is different than what the developers hoped it would do.
[+] [-] randomfool|3 years ago|reply
[+] [-] SilverBirch|3 years ago|reply
[+] [-] squeaky-clean|3 years ago|reply
Is the second sentence sentence missing some words? Or is there something specific about Mango that makes this make sense? If 483mm units were bought for $0.0382 per unit (is that the average price, a fixed price?), why did the spot price suddenly increase 30x, was there that big of a spread in the order book? Also how does that add up to $5mm USDC? Isn't $0.0382 x 483mm = $18.4506mm?
[+] [-] anonymoushn|3 years ago|reply
Second question: Mango Markets lets you trade perpetual futures with leverage, so you don't need collateral equal to the notional value of the contracts you buy.
[+] [-] nl|3 years ago|reply
https://twitter.com/joshua_j_lim/status/1579987648546246658?... is the source overview.
The software all worked as expected, and it's difficult to see exactly which step you'd go "no, the person shouldn't have done that".
Arguably the fault is with the loan protocols that valued collateral at the instant spot price rather than some kind of time-averaged price.
[+] [-] datalopers|3 years ago|reply
The entire cryptocurrency hype machine is predicated upon quoting market capitalization based on instantaneous spot prices. Nobody thinks about liquidity until it's gone.
[+] [-] piva00|3 years ago|reply
[+] [-] stevebmark|3 years ago|reply
[+] [-] mardoik|3 years ago|reply
[+] [-] yieldcrv|3 years ago|reply
the people that don't architect their systems for oracle manipulations?
the way people talk around here reminds me of people in the 90s ‘that dun undastand dem puters with their viruses”, interestingly the folly and new problems presented by computers never went away, consumer and developer behavior improved
[+] [-] DemeterFarm|3 years ago|reply
[+] [-] randomerer|3 years ago|reply
[+] [-] renewiltord|3 years ago|reply
[+] [-] tbrownaw|3 years ago|reply
[+] [-] senko|3 years ago|reply
[+] [-] strangattractor|3 years ago|reply
[+] [-] formerkrogemp|3 years ago|reply
[+] [-] dainiusse|3 years ago|reply
[+] [-] uptownfunk|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] janef0421|3 years ago|reply
[+] [-] mmastrac|3 years ago|reply
[+] [-] RHSeeger|3 years ago|reply
[+] [-] threeseed|3 years ago|reply
That's why today's financial system has the ability to manually revert back to a previous state if something gets wrong e.g. undo transactions, government bailouts etc.
[+] [-] nl|3 years ago|reply
I guess this is helpful with some classes of bugs. But I'm not sure it would with most. For example it is unclear if it would have caught this problem since (from the vague description!) it appears it would have needed some economic modelling to catch.
[+] [-] cercatrova|3 years ago|reply
[+] [-] zeronine|3 years ago|reply
[+] [-] sinerath|3 years ago|reply
[+] [-] beardyw|3 years ago|reply
https://web3isgoinggreat.com
Multiple scams and failures every day.