Is this a "hack", or a legitimate financial transaction? Nothing above looks illegal. In regulated markets, if something went from $0.03 to $0.91 in a short space of time, trading would be shut down. Nobody would sell you a loan on something that had just had a giant change in price. But the crypto sector doesn't want exchange regulation, so they don't have the "circuit breakers" that, say, the CBOE does.
Web3isgoinggreat[1] tracks total losses in the cryptocurrency sector. Their total counter just advanced to $11 billion.
The description of crypto markets as "speedrunning the history of why we have the financial regulations we do" seems more and more accurate as time goes on.
But I agree, this isn't a "hack" in the normal sense. It may be a "hack" in the broader, "clever use of a system against the desires of the designer" sense, but it doesn't seem like any security boundaries were bypassed, just that the attacker made the system perform, per its rules, in a way that had not been predicted. Not a bad haul... good luck cashing it out, though.
As someone who's been at the butt end of banking regulation for almost two decades, I love that quote.
It used to annoy me to no end that crypto folk touted the lack of regulation, actually even the ability to regulate, as some revolutionary new feature, not realizing that in fact, they were just traveling back to the stone age of finance.
The vast majority of the tons of financial regulations that exist today serve to protect market participants, most notably your Average Joe. Average Joe claiming he doesn't need regulation just demonstrates their absolute cluelessness and is just another argument in favor of it.
If this platform doesn't have circuit breakers, it's simply because either they didn't think of it, they didn't think it was important, or they thought it was a bad idea.
There's nothing in crypto that clashes with the idea of a circuit breaker, it's completely orthogonal. And it shouldn't be too hard to code into the smart contract.
By the way I believe only some stock exchanges in the world have circuit breakers, it's not something as universal or required as you make it seem.
Most of the US ones do. Here's a list of recent NYSE and NASDAQ trading halts.[1] The London Stock Exchange has trading halts. Euronext has circuit breakers that trip on 8% - 10% changes. [2] The Tokyo stock exchange has trading halts, but doesn't use them often.[3] China's stock exchanges use trading halts too much.[4].
That covers the major markets. Who doesn't have some system to stop trading during big price swings?
[1] https://www.nyse.com/trade-halt-current
[2] https://www.euronext.com/en/news/trading-safeguards-euronext...
[3] https://www.jpx.co.jp/english/markets/derivatives/suspended/
[4] https://www.scmp.com/business/china-business/article/2174454...
If the "perpetrator" sold 483mm units on one account and bought 483mm units on another account, why did the market price rise so much?
Because the attacker owns both wallets, this is called a wash trade, which is something that has been illegal for over 80 years.
the people that don't architect their systems for oracle manipulations?
the way people talk around here reminds me of people in the 90s ‘that dun undastand dem puters with their viruses”, interestingly the folly and new problems presented by computers never went away, consumer and developer behavior improved
In the real world we have things like leverage ratios, anti-manipulation laws, circuit breakers, etc. Some of this is regulatory, and others are just things we figured out were good ideas many years ago.
I think there's a sense of hubris in the new code is law advocates. As a programmer, code is law scares me because I know code is nothing if not buggy, whereas law has real mechanisms where the case is presented in front of humans that generally speaking have reasonable thoughts. Yes law is flawed, judges can be biased, lawyers are expensive, but throwing all of that away in favour of code on the internet seems much worse.
Judges can issue injunctions that say "freeze everything until we sort it out in court", whereas code just runs whether you want it to or not. Courts can say "reverse all the transactions related to x", and blockchain is, by design, immutable.
That's why these hacks are so often associated with Bridges - because the bridges are the locations where two different sets of rules are in force and you can exploit the difference between them.
They don't though. Courts dream new meanings into existing laws, create new duties where none existed before, and while the extent to which they should do so is controversial, few serious people think they should avoid doing so entirely.
Yes, certainly we can write courts, injunctions, reversals, etc into code, but that's massively increasing the surface area for bugs. Oops, a hacker just injuncted the entire network and now the entire network is frozen.
Courts exist, to a certain extent, so that an impartial human can take a look at the situation and act according to thousands of pages of laws and hundreds of years of precedent. Humans are good at thinking like other humans, so we usually have pretty good intuition around what a judge will say and the limited possible outcomes from there, whereas the same really can't be said for computers.
Oops, robojudge just awarded all the money in the network to the hacker, too bad.
FWIW, I recently read Seeing Like a State and am still trying to process what trying make society more legible (manageable) even means.
Obtaining someone elses tokens because code had flaw = Hack
All exploits are making a program do what it says it does but where that behavior is different than what the developers hoped it would do.
They just didn't realize that there are dangers of using a price oracle for collateral valuation that has recently shown a sharp upward movement. (Which fals under "fitness for purpose".)
So the code correctly lent to someone at Mango's current valuation, it just didn't require the optimal-in-hindsight collateral ratio for such a volatile asset.
That's why today's financial system has the ability to manually revert back to a previous state if something gets wrong e.g. undo transactions, government bailouts etc.
I guess this is helpful with some classes of bugs. But I'm not sure it would with most. For example it is unclear if it would have caught this problem since (from the vague description!) it appears it would have needed some economic modelling to catch.
Is the second sentence sentence missing some words? Or is there something specific about Mango that makes this make sense? If 483mm units were bought for $0.0382 per unit (is that the average price, a fixed price?), why did the spot price suddenly increase 30x, was there that big of a spread in the order book? Also how does that add up to $5mm USDC? Isn't $0.0382 x 483mm = $18.4506mm?
Second question: Mango Markets lets you trade perpetual futures with leverage, so you don't need collateral equal to the notional value of the contracts you buy.
User acquires an/a set of in perpetuity futures contracts. (A future without an expiry date, effectively, what? A pin I guess?) Idea being, this order indicates intent to swap at volume $MNGO to $USDC at $RATE.
Centralized exchanges sees the futures order, and starts cranking up the price of $MNGO due to the increased interest in swapping based on the presence of the Futures.
The Futures contracts are leveraged, but require no collateral, because there is no expiry date on the Future (no intended date of delivery).
So the order volume (spot token purchases) induced upward price movement and... What? Caused other uninvolved investors to buy his acquired tokens at a peak, and he just takes the money and cashes out never intending to actually honor or settle up the perps, which won't margin call, because they're still "good" but will never mature? I'm failing to see an exfil path for ill-gotten gains/financial chicanery beyond the seemingly obvious wash trading.
If anyone can help detangle this, I'd be much obliged. This kind of market weirdness is interesting, but inscrutable at times, when there's usually like 6 pieces of networked jargon needed to render something that doesn't tend to line up to anything tangible in the conventional sense.
https://twitter.com/joshua_j_lim/status/1579987648546246658?... is the source overview.
The software all worked as expected, and it's difficult to see exactly which step you'd go "no, the person shouldn't have done that".
Arguably the fault is with the loan protocols that valued collateral at the instant spot price rather than some kind of time-averaged price.
The entire cryptocurrency hype machine is predicated upon quoting market capitalization based on instantaneous spot prices. Nobody thinks about liquidity until it's gone.
Multiple scams and failures every day.
