The community of crypto decentralised-finance application Mango DAO got back a portion of about $US100 million ($160 million) stolen this week after letting the hacker keep about $US50 million ($80 million) of the funds.
The settlement wraps up several days of tense negotiations between the hacker and Mango, which is governed by its community of token holders who vote on any changes.
Soon after the theft, the hacker posted a proposal in the app’s governance forum asking for bad debts on the platform to be erased – a deal that was not approved by the majority of Mango token holders even after the hacker voted for it with some of the stolen tokens.
The Mango team then posted a counter-proposal, offering to let the hacker keep about $US50 million for the return of the rest of the funds while promising no criminal prosecution and to erase the bad debt.
“We just got notice of the funds being returned,” Maximilian Schneider of Mango said in a Discord message to Bloomberg on Saturday. Community members are expected to meet to discuss how to refund the returned $US67 million to users, with votes on the plans taking place next week, according to Mango’s Twitter.
In a series of tweets on Saturday, an individual took responsibility for the hack, saying he was “involved with a team that operated a highly profitable trading strategy last week” on Mango.
“I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are,” according to the account, which claimed to be Avraham Eisenberg.
When reached on Twitter, the user did not immediately provide evidence of his identity. Mr Schneider pointed to the tweet as coming from the hacker, saying he disagreed that the actions were legal.
The payout is likely one of the biggest ever to a hacker.
More than a year ago, PolyNetwork offered an attacker who drained $US610 million from the platform a job and a bounty for returning the funds, which were eventually reimbursed. Bounties can run into millions – but they are typically offered to coders who point out vulnerabilities, not to hackers who steal funds.
“This is a clear failure of secure governance,” said Michael Lewellen, head of solutions architecture at crypto security provider OpenZeppelin.
“If an attacker can steal enough tokens to vote themselves a reward, it sends a signal that DAOs [decentralised autonomous organisations] can be hacked successfully using stolen tokens to avoid repercussions. This signals the need for better governance security that accounts for malicious token voters.”
In the Mango heist, two accounts funded with the stablecoin USD coin took large positions in Mango perpetual futures, causing the price of the Mango token to spike. The price jump stoked an unrealised profit from the futures. The attacker used that to borrow and withdraw about $US100 million, leaving depositors with nothing.
Hacks in crypto are common, with at least $US718 million stolen so far in October alone, taking the gross tally for the year past $US3 billion and putting 2022 on course to be a record for the total value hacked, according to blockchain specialist Chainalysis.