What shady operations did the hacker behind the theft of hundreds of millions from Mango carry out?
TechFlow Selected TechFlow Selected
What shady operations did the hacker behind the theft of hundreds of millions from Mango carry out?
The hacker who understands DeFi and DAO the best.
Early this morning in Beijing time, Mango, a decentralized exchange within the Solana ecosystem, suffered a hacker attack resulting in losses of up to $115 million.
Mango later tweeted that it was taking measures to respond and expressed hope that the hacker would proactively contact them to discuss repayment—offering to let the hacker keep a portion as a bounty: "We are taking steps to have third parties freeze liquid funds. As a precautionary measure, we will disable deposits on the front end and provide updates as the situation evolves."
UXD Protocol, a Solana-based algorithmic stablecoin protocol, stated that nearly $20 million of its funds were affected by the Mango attack but confirmed its insurance fund is sufficient to cover the losses.
Tulip Protocol, a yield aggregator in the Solana ecosystem, also reported approximately $2.5 million in funds impacted by the Mango attack, adding it has enough capital to absorb the loss.(Added by TechFlow, not present in original text.)
Unlike previous hacking incidents, this hacker displayed unusually theatrical behavior—posting a new governance proposal on Realms:
The hacker demands that Mango use treasury funds ($70 million) to repay user bad debt; in return, they would give back part of the stolen funds and request immunity from criminal investigation or asset freezes.
As one crypto enthusiast commented, the Mango hacker clearly understands how to play DeFi and DAOs.
To date, the proposal has received 32.9 million votes in favor, with 32.41 million cast by the hacker themselves, still about halfway short of the 67.09 million vote threshold required for passage.
Manipulating MNGO Price to Execute the Attack
Based on analysis from crypto researcher @Joshua Lim and an incident report from @Mango, we can reconstruct the attack sequence as follows:
The hacker first deposited $5 million each into two addresses (A and B) on Mango Exchange:
-
A: CQvKSNnYtPTZfQRQ5jkHq8q2swJyRsdQLcFcj3EmKFfX;
-
B: 4ND8FVPjUGGjx9VuGFuJefDWpg3THb58c277hbVRnjNa;
Then, using Address A, the hacker opened a short position on Mango’s perpetual contract for MNGO, the platform token, at $0.0382, totaling 483 million tokens. Simultaneously, using Address B, the hacker opened a long position on MNGO at the same price of $0.0382, also for 483 million tokens. (Note: The reason for opening both long and short positions is that Mango's market depth is shallow—if not trading against themselves, such large positions would be difficult to establish.)

(Hacker shorting MNGO)
After establishing these initial positions, the hacker manipulated the spot price of MNGO across multiple platforms (FTX, Ascendex), driving prices up by 5–10 times. This inflated price was then relayed via Pyth oracle to Mango Exchange, further amplifying the price surge. Eventually, MNGO’s price on Mango spiked from $0.0382 to a peak of $0.91.

(MNGO price movement)
At this point, the hacker’s long position had generated profits of 483 million × ($0.91 – $0.0382) = $420 million. Using this artificial net worth, the hacker borrowed assets from Mango. Fortunately for the protocol, limited liquidity capped the total withdrawal at approximately $115 million, including: $54.41 million USDC, 768,500 MSOL ($25.3 million), 761,600 SOL ($23.47 million), 281 BTC ($5.356 million), 3.26 million USDT, 2.354 million SRM ($1.73 million), and 32.41 million MNGO ($667,000), as shown below:

(Stolen fund breakdown)
Following the incident, Mango announced it had frozen program instructions at 10:37 AM on October 12 to prevent any further interaction with the protocol.
In reality, this attack on Mango could have been avoided.
As early as March this year, a Discord user named @Ozcal warned the community that Mango did not impose limits on MNGO positions, leaving the door open for hackers to exploit price manipulation and drain platform assets.
But at the time, no one paid attention to this bug—except the hacker.

(March 2022 Mango Discord chat screenshot)
“Perhaps limiting derivative positions based on spot liquidity (where oracles source data) could prevent attacks exploiting spot prices to manipulate derivatives trading,” suggested Joshua Lim.
Will the Project Yield to the Hacker?
After the attack, the hacker posted a new proposal, requesting the team use treasury funds ($70 million) to repay protocol bad debt. Current treasury holdings amount to around $144 million, including $88.5 million worth of MNGO tokens and nearly $60 million in USDC.
The hacker stated that if the team agrees to this plan, they will return part of the stolen funds and requested no criminal prosecution or asset freezes. “If this proposal passes, I will send the MSOL, SOL, and MNGO in this account to an address published by the Mango team. The Mango treasury will cover the remaining bad debt in the protocol, ensuring full compensation for all users with negative balances... Once the tokens are returned as described, there should be no criminal investigation or asset freezes.”

According to earlier calculations, the hacker intends to return approximately $49.43 million—about 42% of the stolen funds—meaning nearly half of the stolen assets would be kept as a ‘bounty’, a rate significantly higher than typical white-hat recovery rewards offered in past incidents.
Mango officials indicated that the best current approach is communication with the attacker.
"The priorities for Mango DAO are: preventing any further unnecessary losses, ensuring the safety of depositors' funds in the Mango protocol, and attempting to salvage some value for Mango DAO. Mango believes the most constructive way forward is to continue communicating with the individual responsible for this event and who controls the funds removed from the protocol, in an effort to resolve the matter amicably."
Legal expert and LegalDAO founder MasterLi stated: No matter which country’s legal framework you apply, regardless of whether this vote passes, the hacker’s actions are undoubtedly criminal. Attempting to use this method to evade personal liability is unworkable under any national law.
"On another level—the level of DAO governance rules. In the absence of formal DAO legal entities, I believe DAO governance rules can be seen as a form of contract among members. The hacker gained voting power by stealing tokens and thus participating in this contractual relationship. Legally, this is entirely untenable. In other words, the hacker’s right to propose and vote is inherently flawed. Therefore, the 'official' side would not be unreasonable to reject this proposal (I'm unsure if MangoDAO has such mechanisms), nor would it contradict the principles of DAO governance. It’s like someone stealing my ballot and voting on my behalf—such a vote is unquestionably invalid."
It remains unclear whether the team will ultimately accept and implement the proposal. At the time of writing, the hacker’s proposal has received 32.9 million votes in favor, with 32.41 million coming from the hacker alone, still far from the 67.09 million needed for approval.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














