Financial hacking is a new threat posing a rapidly growing threat to decentralized finance, the once-hot segment of the crypto universe that was at the center of this year’s collapse of the digital-asset world.
More attackers are now using the automated software programs that power DeFi platforms to manipulate transactions to seize control of the millions of dollars in assets locked in different protocols that enable users to borrow and lend without intermediaries after being plagued for years by hackers trying to exploit coding flaws to siphon funds from cryptocurrency projects.
Over the weekend, the DeFi application Mango DAO consented to release the remaining cash to vow not to pursue legal action and let a self-described trader keep roughly half of the $100 million in assets he seized. The Mango exploiter’s method has been linked to other notorious attacks. While Beanstalk was attacked for $182 million in April, Harvest Finance lost $34 million in 2020. A $9 million exploit occurred on Tuesday on the decentralized credit network Moola Market.
After allowing the hacker to keep about $50 million of the assets, the community of the decentralized-finance program Mango DAO on Saturday received a piece of the about $100 million stolen this week.
The Mango team then published a counteroffer, pledging not to file charges, wiping off the bad debt in exchange for the return of the remaining assets, and letting the hacker keep approximately $50 million.
In a Discord message to Bloomberg on Saturday, Maximilian Schneider of Mango stated, “We just got notice of the monies being returned.” According to Mango’s Twitter, community members will meet to discuss ways to reimburse users for the returned $67 million, with votes on the proposals the following week.
A man claimed credit for the breach in a series of tweets on Saturday, claiming to have been “associated with a team that operated a highly profitable trading strategy last week” on Mango.
The agreement ends days of contentious discussions between the hacker and Mango, whose token holders collectively run the platform and decide on any changes. Soon after the theft, the hacker proposed the app’s governance forum requesting for the platform’s bad debts to be erased. Despite the hacker voting for the proposal using part of the stolen Mango tokens, the majority of token holders rejected the agreement.
The industry is at a fork in the road since the growing tendency seems to fall into a murky legal area. As the Mango exploiter said, these actions are viewed by violators and other ardent cryptocurrency fans as “a rewarding trading approach.” Due to this, industry players are calling for more legislative clarity to outlaw the practice, which runs the danger of further undermining investor confidence as the blockchain industry struggles to survive a severe market slump. Some people have referred to it as outright financial manipulation.
Ken Deeter, a partner at Electric Capital, a venture capital firm that has funded businesses including the nonfungible token market Magic Eden and the digital asset exchange Kraken, stated, “we’re sort of driving automobiles without seat belts right now.”
The Mango attacker took sizable holdings in Mango perpetual swaps, futures that permit traders to hold a position open, using two accounts paid with the stablecoin USD Coin. A result of this was an increase in the spot price of the token, which allowed the exploiter to utilize his suddenly more valuable position as security for loans that drained about $100 million from the system, leaving the depositors with nothing.
Erin Plante, vice president of investigations at crypto-security company Chainalysis, said: “This is different from the code exploits we’ve often seen this year in breaches of DeFi providers, and not something that additional security measures can easily avoid.”
According to Steve Walbroehl, co-founder and chief information security officer of Halborn, a blockchain-security business, the occurrence amount to “financial hacking,” a phenomenon exclusive to cryptocurrencies. In these situations, offenders profit from the connectivity of many DeFi platforms and the absence of credit checks and other safety measures standard in conventional banking. They then manipulate the market to their advantage.
“This entire open financial system of democratized access to finance and services is fantastic, but it also creates weaknesses for it to be used as a weapon against itself,” Walbroehl said.
Mango’s choice only appeared to give the self-declared suspected exploiter, who posts under the handle Avraham Eisenberg on Twitter, more confidence. Only a few days after the two parties agreed, Mango started to promote identical tactics for use with the Aave lending platform. After being reached by Bloomberg News, Eisenberg declined to confirm his identity.
Aave should see the tweet as a threat, according to Chris Tarbell, co-founder of the cybersecurity firm NAXO. “There is no fear of bodily harm. Thus, it is not an arrestable misdemeanor, but I would be concerned if I worked for this company. He is taking advantage of systemic flaws in this way.
Experiments like the Mango attack, according to Tarbell, a former Federal Bureau of Investigation special agent who assisted in the capture of famed crypto hacker and darknet website operator Ross Ulbricht.
“To me, that’s a crime,” Tarbell said, “someone holding $150 million that isn’t their property and using your property against you.”
The Eisenberg account stated on Wednesday that they had been informed that Aave “is safe.” They revealed their trading tactics via a text message screenshot, which included a playbook resembling the Mango attack.
According to Tarbell, Eisenberg’s tweets demonstrate the exploiter’s potential desire for adoration. “Bank robbers rarely remove their masks when they enter a building,” he claimed. “This person removes his mask.”