CoinSnacks
Posts
BNB Chain & Mango Markets Hacked For 9 Figures?

BNB Chain & Mango Markets Hacked For 9 Figures?

October 14, 2022 • Estimated Reading Time: 5 minutes

It’s been a tough week for crypto safety, as BNB Chain and Mango Markets were both hacked for 9 figures.

Let’s dive into what happened and what it means going forward.

BNB Chain

First up, we have BNB Chain – the layer-1 blockchain backed by crypto exchange kingpin, Binance. The blockchain was hacked last week for $586 million, with the attacker eventually escaping with $127 million.

Although this is definitely not good news, the reaction by Binance is what really has people concerned.

What Happened?

On October 6th, BNB Chain tweeted that they were temporarily pausing the chain because of “irregular activity.”

Due to irregular activity we're temporarily pausing BSC. We apologize for the inconvenience and will provide further updates here.
Thank you for your patience and understanding.
— BNB Chain (@BNBCHAIN)
10:19 PM • Oct 6, 2022

As we now know, this irregular activity turned out to be the third-largest crypto hack of all time.

The hack is very well-explained by Paradigm security researcher @samczun, which you can check out here, but basically, the hacker was able to trick the BNB bridge into minting them 2 million BNB tokens.

Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down.
— samczsun (@samczsun)
11:35 PM • Oct 6, 2022

Once they acquired the BNB tokens, the hacker tried to sneak out by using the loot as collateral to borrow stablecoins from the lending platform Venus Protocol. Unfortunately (for them), they could only make out with $127 million before the chain was paused, freezing the rest of the funds until a governance vote decides what to do with them.

A Decentralized Blockchain?

The pausing of the chain has not come without controversy.

As Binance puts it, “decentralized blockchains are not designed to be stopped.” If that is the case, then what does that make BNB Chain? It only has 26 validators, who are now proven willing to stop the chain on short notice. Is a blockchain with 26 validators truly decentralized?

Ultimately, this is a question that BNB Chain will need to definitively settle sooner rather than later. Decentralized finance deserves actual decentralized blockchains, not just decentralized in name only.

Another Bridge Hack

Besides the extremely important question of decentralization, the BNB hack also once again brings into question the safety of bridges.

The leaderboard of the largest crypto hacks is littered with bridges, which really makes one wonder if bridges will ultimately be a part of crypto. If crypto is ever to be widely adopted, it has to be at least as safe as the legacy financial system. Unfortunately, even the most ardent crypto supporters will not say bridges are safe right now.

Without safe bridges, the AppChain future that many envision would be impossible. Instead, it is likely that crypto would be held on one or two dominant blockchains. In other words, a bridge-less future is bullish for Ethereum and Solana and bearish for Cosmos and Polkadot.

Hopefully, for those of you who hold Cosmos (ATOM) or Polkadot (DOT), bridge designers will eventually figure out how to create truly safe bridges.

Mango Markets

This week’s second hack belongs to Solana’s flagship trading protocol, Mango Markets. The protocol was hacked on Wednesday for $115 million, using a method that was forecasted to the team to a T seven months ago.

What Happened?

Mango is a trading protocol that allows users to post collateral to obtain leverage. The hacker was able to manipulate this to their advantage. Joshua Lim breaks it down in this Twitter thread, but basically, the hacker manipulated the price of MNGO to take out a $115 million loan, draining all of Mango’s liquidity and leaving the protocol with $115 million in bad debt.

1/ this is how I think the mango attack played out, please let me know if I got anything wrong:
at 6:19 PM ET, attacker funded acct A (CQvKS...) with 5mm USDC collateral
trade.mango.markets/account?pubkey…
— Joshua Lim (@joshua_j_lim)
12:09 AM • Oct 12, 2022

As a result of the hack, 4,000 shorts on Mango were liquidated, Solana’s total value locked is down by 25%, and the price of MNGO is down 31%.

The Proposal

As if hacking Mango wasn’t bad enough, the hacker is now taking it upon himself to mock “decentralized” governance.

The hacker has proposed a governance vote in which the hacked funds are returned in exchange for the $70 million in the Mango treasury and a promise to not pursue criminal charges. The kicker? The hacker has by far the most MNGO tokens, which he used to vote “yes”.

It doesn’t look like a quorum will be reached, but still, not the best look for “decentralized” governance.

Unanswered Questions

The hack itself is done, but the story is not. There is still a range of questions to be answered in the coming days:

The hacker funded his account from FTX. Could FTX have had a hand in the attack? Even if there are no FTX ties, who is this mysterious and well-funded market manipulator?
Back in March, the Mango team was warned of the possibility of an attack like this. Why didn’t they take it more seriously?
If the governance vote passes, how binding would the promise not to pursue criminal charges be? Is a DAO vote as good as a contract? If they do honor it, then other hackers might be inspired to undertake similar attacks. However, if they don’t, the legitimacy of DAO governance would take a major hit. It’s a lose-lose situation for Mango, and we definitely don’t envy their position.