In October 2022, Avraham Eisenberg successfully drained $100 million from Mango Markets. However, a similar attack performed against the Aave protocol failed, causing him to lose millions.
Inside the Attack
In the Mango Markets hack, the attacker exploited the project’s low liquidity and volume in a price manipulation attack. The attacker began by taking out a MANGO-PERP position using over $5 million in tokens deposited into the protocol.
Using another account, the attacker then purchased the offered units for $0.0382 apiece, which raised the spot price. The market continued to raise the price, peaking at $0.91 per unit. This increase resulted in the second account achieving a profit of approximately $423 million. This profit was then used to take out a loan of $116 million, draining the liquidity from the protocol. The resulting drop in spot price (to about $0.02) also put the first account in profit, which would have allowed a further drain if any additional value was available.
In November, the Aave attacker took out a loan of 40 million CRV tokens from Aave, betting on a drop in price. However, the price actually rose during the attack, resulting in losses for the attacker due to their significant short position.
Lessons Learned From the Attack
Mango Markets and Aave experienced similar attempts to manipulate markets for profit. One succeeded, while the other failed.
However, in neither case did the protocol take advantage of the opportunity to fix the problem before it was exploited. Concerns about the risks to Mango Markets were raised in March — six months before the attack — and Eisenberg announced his intention to attack Aave before it happened. However, efforts to close the security gaps were only taken after the protocols were attacked.
Proactive security is the best way to limit risk to DeFi projects and their users. To learn more about protecting your project, reach out to our Web3 security experts at halborn@protonmail.com.