What the Hack Is Going On?
Dear Bankless nation,
Here’s a recap of the biggest crypto news in the second week of October.
Mango Markets exploit
There’s a bunch of hacks and exploits across DeFi this week, starting with the Solana-based trading protocol Mango Markets. The protocol was fairly widely used, with one of the top transaction counts in Solana Q2.
The first thing to note about the Mango Markets (MNGO) hack is that it’s not really a hack, but market manipulation that played by all the rules. A quick summary: The attacker opened a perpetuals position on MNGO with his first account, which he then longed on a second account, shooting up the spot price of MNGO from $0.03 to $0.91.
With paper profits on his second account, he took a loan of ~$120M on the protocol that wiped out the protocol’s treasury (see Joshua Lim’s tweet thread and OtterSec for more details).
The attacker then created a governance proposal which offered to pay back about half of the loaned money in exchange for not criminally prosecuting him (he also voted yes on it). That vote didn’t pass. As of the latest, Mango DAO is agreeing to pay the attacker a whopping $47M bounty.
The attacker is alleged to be ponzishorter.eth AKA Avraham Eisenberg.
Temple DAO $2.3M hack
Temple DAO is an old Ethereum-based Olympus DAO fork. Users earn a share of its treasury yields by staking its FRAX-backed native token TEMPLE. The DAO launched Stax Finance in May, introducing liquid staking for stakers. A smart contract error on Stax’s code enabled one hacker to drain ~$2.3M on Oct 11. In its official post-mortem:
At 9:11am EST, A total of 321,154 xLP tokens were taken from the xLP Staking contract. These tokens were swapped for precisely 1,418,303 $TEMPLE and 1,262,438 $FRAX. 1,418,303 $TEMPLE was then sold for 1,116,243 FRAX.
Rabby Wallet hack
Rabby Wallet is a self-custodial Ethereum-based browser extension wallet by DeBank that supports more than 30 chains. The protocol suffered a hack with an estimated loss of $200K due to a smart contract bug. If you’re a user, check for your address and revoke approvals for the wallet’s swap service.
Web3 News Roundup
SEC investigates Yuga Labs
Do Bored Ape Yacht Club NFTs constitute securities? That’s the question the SEC is asking this week as it turns its regulatory eye to Yuga Labs. As originally reported in Bloomberg:
The SEC is examining whether certain nonfungible tokens from the Miami-based company are more akin to stocks and should follow the same disclosure rules… [The SEC] is also examining the distribution of ApeCoin, which was given to holders of Bored Ape Yacht Club and related NFTs.
ApeCoin, if you recall, was launched back in March as the official token for the Yuga Lab’s “Otherside” Metaverse, around the same time that Yuga Labs bought the CryptoPunks and Meebits NFT collections from Larva Labs.
Note that even though APE was airdropped to BAYC holders, and even though Yuga Labs announced its intentions to adopt APE as the token for its own products, ApeCoin was positioned under operation by “ApeCoin DAO”, which in turn is supported by “Ape Foundation” and officially unaffiliated from Yuga Labs. Whether or not the eye of Sauron will accept that distinction is a whole different question. See more on this on William Peaster’s Metaversal.
Coin Center + David sues the Treasury
You can read the full brief here. Support Coin Center by donating here.