The Mango Hack

Sam himself was questioned by police and regulators in the Bahamas, where FTX was based. How did it all come to this? You'll hear more about what's going on and how we got here on some special episodes of the Bloomberg Crypto podcast this week. On Tuesday, my colleagues Vildanna Harrick and Katie Greifeld will discuss the very latest developments in the SPF FTX Ala Mina universe. But for today's episode, which we recorded before the shenanigans of the last several days,

we're going to talk about Mango. No, not the fruit, the de Fi protocol one that was hit by a one hundred million dollar exploit recently. Mango experienced a type of exploits that's really raising eyebrows and crypto these days. It's called a price manipulation attack, and it involves taking advantage of how de fi platforms are supposed to work.

In this episode, I'll be joined by Bloomberg report to Muchen you Never Sleep, and by Evgeny gave a NASA experience was a hack back and back in the summer is Optimism, the CEO and founder of winter Mute, a trading platform that was itself hacked for a hundred and sixty million dollars back in September. We are what's been going on with DeFi and specifically with Mango that has

folks a bit stressed right now. I think it's really all started of this us being at this stage of the market, a lot of tokens are not as liquid as used to be, as there's a less retail interest in the space and there's also less assuming institutional interests in the space. So as a result, a lot of tokens, as we know in the past, especially in the bull market, there's a hundreds of tokens that's been created now because there's less interests, there's less money in the space a

lot of tokens. They are not as liquid as used to be. Therefore, it's easier for people to sort of manipulate the prices of these tokens by singlely just like a one trade or a few trades, so they can move the price either up dramatically or down dramatically easily.

This doesn't seem to be technically or practically illegal as far as any of the various lawyers that we've spoken to, just kind of in principle, it's very obsetting, right, you are the owner of a platform, or you are people who are affected by this thing, and someone comes in and is able to take advantage of price movements that they may themselves be triggering to you know, buy or sell, or both buy and sell in a way that allows them to walk away with a significant amount of money.

But again, as somebody who has been sort of on the other side of these kinds of exploits that exist in the legal gray area, what is it like to go through it? Basically, I was I'm encryptophor over five years now, but before that I was in normal traditional finance, and I would say those kind of tradings allages, quote unquote, it would be very much illegal and traditional markets, like if somebody would keeps up like this on I know, see me and nicely for examples, they would get into

a lot of trouble. So to me, it's a very very much illegal what happened to be honest people who are engaging in these kinds of exploits. And there is one in particular as it relates to Mango, who has sort of publicly been talking on Twitter on discord saying well, you know this isn't illegal. Your contracts allow me to do this kind of stuff. I'm going to do this kind of stuff. And to our knowledge, he has not been charged with any crimes. He's definitely not been arrested.

But what has been happening is a sort of how shall I say, rage from from folks in the defied community that he does have this degree of impunity to sort of say well, yeah, I'm going to do this thing and you can't do anything about it. And specifically when he was first able to do this exploit with Mango, and the initial amounts that he was able to, you know, manipulate in his favor was a hundred million. Eventually it

was cut to about half. We are what happened between that hundred million and that fifty million, Like, what were the conversations between Mango and this person that reduced the amounts that was lost? I mean, correct me if I were on what I was hurt? Is that what happens they he posed a statement about what happened, and again he says everything he did was totally illegal, But he

had a conversation with the Mango team. Eventually they made a deal that he would have returned part of the money back to the Mango Markets team just because what happens Mango as a result is that the whole project we can't sort of insolvent and they had no money, low liquidity, and a lot of users are trapped with the fact that there's no money left there now. If Geinny, I've got to ask you this question, right like winter, you was affected by an exploit in September to the

tune of sixty million dollars. What did you learn going through that and what are you doing? How are you thinking about the space differently as a result. Honestly, not much changed, I guess in my in my thinking like it's I see those hacks exploits as basical cost of doing business in a way. But it's I wouldn't say

it's inevitable, but it's something well. As an operator in the space, you basically have to accept that's that's a possibility for in the training strategies you do that as there is a possibility of a hack of exploit, of something going wrong with the protocol, you own no productol your trade off. So for us as a firm, nothing

changed in terms of a strategy. Like we obviously learned quite a bit on this event, we will we will approach trading going forward in a much safer way, But nothing changed in terms of our well, in terms of us being really interested in the space, in terms so far as being really invested in the space and basically asked continuously working too, Yeah, continue trading, continue moving the space forward. Is there actually a way to design a seatbelt?

Is there a way to get this be from a cost of doing business to something that is unattractive to

potential exploits. Look, it's it's always possible to make it super safe, and I guess that's that's what the whole ecosystem defied community is working towards and ultimately as they will arrive, like if you look at battle tested protocols like Halba for example, it looks like it's it's pretty safe to use and there are like billions of assets and in protocols like this, but it does take time to arrive to the stage where like protocols like Holbor

like unit small for example, are pattal tested and it's basically as a run or exploits possible like for those particular protocols, but the main challenge always arises when there is an interception between different protocols, which is the coolest thing about defining general when when the protocols can coexist with each other and like built on top of each other, and like in case of Manga specifically as the oracles, and from what we saw from a lot of exploits

in the space, and not not just Maga but but other ones, oracles are typically is the most vulnerable vulnerable point because like that's that's where the manipulation can potentially happen. And if you design your protocol as something that has to rely on oracle, yes, that's that's that's ultimately can be a point of failure. Now, when we talk about oracles and defy, we don't just mean some like all

seeing entity. We what we're describing are the pricing systems that folks use to say, oh, yes, this token is actually treading at x y z price. And it sounds like what you're describing is the fact that these automated systems that assume a price that exists is valid is point of vulnerability because that price might have been manipulated five seconds before exactly and basically, in traditional finance as price manipulation would be illegal, while encrypto at the moment,

it's not. Well, you started by saying, you know, one of the reasons this type of exploit has been possible is because of the relative lack of liquidity. In an environment with less liquidity, it's a lot easier to make these sorts of dramatic price moves that allow the sorts of trading strategies that folks are using to make these

kinds of profits. There have been a couple of platforms and thinking and protocols I'm thinking about, like Compound and a couple of others that said, okay, for like less liquid tokens, we're going to take certain types of steps to make them less prone to this kind of manipulation. What other things have you seen or are you talking to people about that they're also considering as a way

to mitigate the risks here. A big part of of what happened with the Mango markets and the similar attacks was what kind of collaterals you can use to borrow money in the space. I think when projects in general consider what are the tokens that we except as collateral is very important. I think sort of due diligence around each token and about technical details and and everything else around the token and the project is very important, you know,

like as Crypto seven it never sleeps. It's also very important to having established or integrate sort of own chair analysis and monitor around your project, just to make sure that you know, if something bad happens, you can detect it early on and being able at least having time to fix it or or to save it. Afghani as somebody who is in the position of having to convince borrowers lenders that they should continue to be using you know, not just like your protocol, your platform, but like defy

in general. What are you saying to folks out there who are looking at this under the like is my money at risk? If I am you know investing or in any way involved in defy. Right now, I think one once something to considers just hot transparent it is. And I think, like I'm coming from, like very basic

example is lending protocols. We've seen this here is that well Salsus collapsed companies like Block Fine, Voyager or head Issues, and like one unified seam around all of those is like you could put your money in Celsius, but you would have no idea where as a where as a yield that's coming from defied, it's very much transparent to clear whereas the yield is coming from, like whether you put it on another or you put it on on Maple for example, you know exactly where as the yield

is coun from. And that's that's a very big shift from very intransparent like traditional centralized player. That's a centralized kind of place. Coming up more from Bloomberg report of Muyashen and from Winter Mute CEO of Guinea, Guy Avoid on how the recent attack on Mango is shaking up the crypto industry. Now, in the immediate aftermath of the hack that affected Winter Mute, you know, you tweeted that you were willing to offer a ten percent bounty to

the hacker if they returned the funds. How have your feelings on bounties evolved over time? Do you think that these are effective? Do you think that something like a cap makes sense? I think it's ultimately up to every protocol what to do with it or every company what to do with it. To me, something between like five to generally makes sense. Put in a cap one might

make sense as well, like we had. Another another experience was a hack back back in the summer with with Optimism, where it ended up successfully where hacker did accept and bounty. I personally think tund sounds fine. Limited to five million dollars can also work, I guess yes, but in general like it. I think it's it's a great saying if we have some kind of standard sets in place so that, like every protocol or every company doesn't have to keep

reinventing it every time something like this happens. The thing is that every time you like, at least what I talked to somebody in defy and I start saying where it's like agreed standards, They're like, no, that is the opposite of decentralization. You know this, How how do you square those things. Yes, I think that there was actually a recently debate between SBF and Erica or HISS and

Eric and his post. He basically like there is a difference between regulation and standards, and regulation is like close and post on you and standards the sumpthing, Well, you can agree to follow basically, and you follow the standards, people will television more likely, but you don't have to, Like you can say, yeah, I'm not gonna divide by the standards. I'm gonna do my own saying. And that's fine. We all you talked to a lot of folks and

defy kind of all day long. We've said on this podcast over and over that one of the it's almost like a meme at this point. If you are the CEO of a big crypto exchange, you're like, we just want regulatory clarity, like like we just want to know what's going to happen. What is the vibe among the other DeFi executives that you that you speak to as it relates to this regulation and enforcement piece. I think

it's funny. I think when I first started covering crypt or way back then, I mean saying way back then, it's a little bit a little bit exaggerated because just deify as being existing only for this this few years in the past. You know, in the beginning when we talked to Defy folks, and it's usually just those DJs, you know, anymalous people on discord and trying to find the alpha. Like now, like I think people are becoming

more realistic. Like a lot of folks when I talk to them, they understand, you know, like for Defied two really to grow, to really go bigger, you need bigger money coming into the space. You need people to use it for real life application, and you know, people can borrow and landing like even real world assets in the space, and you have to have regulations on that. I think that's the sort of a general consensus as as I'm

getting from from people these days. But I think as we just discussed it, it's really hard to tell how we can get everyone together to have some sort of agreement on how to regulate it and how can sort of enforce people to follow the rules. Again, from your perspective, what is kind of your ideal version of something like that for Defy, Like if we ever get to this sort of scale for Defy where the applications are things like you know, widespread availability of mortgages or you know

what our sorts of consumer finance people might need. What does that look like for you? To me, the ideal regulation aroundefined and maybe not maybe regulations not even the right world worked here, But to me, the ideal would be, for example, with SEC not saying the security is not security, which they're not even saying to be honest, but it would be saying, okay, guys, we looked into a syrium. It can be like risky, but it's definitely not a

scamp something like this. So basically, instead of prosecuting protocols for potentially being securities or not, basically making a list of safe things to invest it, that to me would be ideal because the world where like what especially American investors are running into now or ordinary people really is well, they cannot legally use a big portion of defied protocols like divid X for example, because the ideas just IP blocks US people because it doesn't want to deal with

the FTC or SEC because it doesn't want to break the lot, which is very understandable, but it also means that basically, big chunk of the market, big big chunk of opportunity, which is open for the rest of the world, is just really closed for normal retail people in Yes, well, a pleasure to have you both on the show. Thank you again for taking the time. Thank you, Thank you. You can find more of Mooshan's repausing on the Bloomberg terminal,

on Bloomberg dot com and on Twitter. This is Bloomberg Crypto, a daily podcast from Bloomberg and I Heart Radio. For more shows from I Heart Radio, visit the I Heart Radio app, Apple Podcasts, or wherever you get your podcasts. Send us your comments, questions, or suggestions for the show to Crypto at Bloomberg dot net. The supervising producer of Bloomberg Crypto is Vicky very Galina. Our senior producer is Janet Babin. Our producers are Mohammed Fruke and Sharon Barrio.

Our associate producers are Ty Butler and Moses on Them. Desta wonder At is our engineer. Original music by Leo Sidrn. I'm Stacy Maria Schmall. We'll be back tomorrow.