Mango Markets V3 priced cross-margin collateral using a Pyth/Switchboard-style oracle whose MNGO/USD feed was sourced from a small set of low-liquidity spot venues (FTX, Ascendex, Serum). The attacker opened ~$10M of MNGO-PERP long on one Mango account and an equal short on another, then bought MNGO across those underlying venues with ~$4M, pumping the oracle price ~13x within minutes. The unrealized PnL on the long position was treated as instantly-withdrawable collateral by Mango's risk engine (no time-weighting, no liquidity-adjusted haircut, no per-asset borrow cap proportional to insurance fund). The attacker borrowed ~$115M against the inflated balance and withdrew across BTC, ETH, SOL, USDC, USDT, MSOL — every asset in the protocol. The root cause is a risk-parameter design flaw: an illiquid governance token whose entire float was thinner than the borrow capacity it backstopped, combined with a spot oracle that had no manipulation resistance.
Classification: Ecosystem. Technique: Price Oracle Attack. Target type: DeFi Protocol. Affected chains: Solana. Implementation language: Rust.
- chain
- solana
- protocol
- Mango Markets V3
- bug_class
- oracle
- date_occurred
- 2022-10-11
- loss_usd
- $115,000,000
- classification
- Ecosystem
- technique
- Price Oracle Attack
- target_type
- DeFi Protocol
- language
- Rust
- source_id
- dl:286