Crypto — how to grab $47m in seconds and walk away, scot-free
The past couple of weeks have seen the greatest dollar volume of heists from various crypto-related projects in blockchain’s short history, including four major incidents in one day. In one startling case, a guy helped himself to north of $100m. Not only did he get to keep $47m of it without threat of legal action, but he also went public, doxxing himself and saying ‘yeah, it was me, have a nice day’.
At the core of this story lies the subtle difference between the definition of a hack and an exploit. For instance, a hacker who breaks into crypto and steals cryptocurrency using a purloined private key is a thief, a robber, a breaker-and-enterer and a criminal. There are legions of these crimes across the crypto space. The perp or perps are always anonymous — they do not want to get caught, because they will go to jail. Which sometimes happens, although not often enough.
Then there is another sort of play. I am not sure whether to call it a scam, a grift or a crime: it does not really fit neatly into any of those definitions. What happened to Mango Markets on 12 October is a perfect example.
Mango Markets is a crypto project that facilitates lending and borrowing and margin trading in the crypto markets. There are a number of similar projects in this space; they deliver an important service to the crypto economy. Mango and similar projects all leverage a core advantage of blockchain — the ability of a piece of software, called a smart contract, to replace the function of the bank or exchange or other financial middlemen.
Mango Markets is not a fly-by-night. The amount of value that it manages has reached as high as $200m, dropping to about $150m as world markets have crashed.
And then one day, more than $100m disappeared from its coffers.
Bug in the code
What generally happens in these cases is that the developers, aided by an army of Good Samaritan developers out in the world, dive in to try to find out what went down. Smart contracts are open-source code — anyone can see them — internal project developers… and outsiders, both good and bad. In any event, they found a bug in the code. Or more accurately, an extremely subtle vulnerability in the way the application operates, which no one else had spotted since its release years before.
No one except a guy called Avraham Eisenberg.
Eisenberg is not a black-hat hacker wearing a dark hoodie — he has posted for years on various blogs like Substack, explaining how he and his team study Defi protocols and find ways to trade profitably. He has explained his techniques without hiding them.
There is a 24 January post entitled, “How our team makes millions in crypto risk-free”. The article goes into transparent detail on how he does it — all above board, doing what armies of traders and hedge funds try to do in the real world.
All of this netted him a few percent per week in profits, sometimes more. An enormous amount if you look at the annual take. But nothing compared with his $100m haul at Mango.
The details of how he did this trade are less important than this — he did not hack Mango. He simply found a way to use its rules and process to leverage out the money. Nothing illegal at all. The Mango Market smart contract was not supposed to enable this sort of trade. But it did, and he saw it and simply played by its rules.
Here is what he said on a Twitter thread when he doxxed himself a few days after the hack on 14 October.
“I was involved with a team that operated a highly profitable trading strategy last week.
“I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.
“Unfortunately, the exchange this took place on, Mango Markets, became insolvent as a result, with the insurance fund being insufficient to cover all liquidations. This led to other users being unable to access their funds.
“To remedy the situation, I helped negotiate a settlement agreement with the insurance fund with the goal of making all users whole as soon as possible as well as recapitalizing the exchange.
“As a result of this agreement, once the Mango team finishes processing, all users will be able to access their deposits in full with no loss of funds.”
It was a little stranger than that. Because Mango Markets offers any of its token holders (kind of like stockholders) the opportunity to submit proposals for improvements in the system, Eisenberg, who obviously held many tokens, submitted a proposal that said, Hi everyone. I will return everything but $47-million. That way your insurance fund will cover everyone, and no one loses money. And oh, you must indemnify me from legal action.
The community voted 97% in favour. So he walked away with his money and indemnification. The $47m was called a “bug bounty” — a reward for finding a flaw in the system.
It may not be the end of this story. It is possible that prosecutors may see this as illegal market manipulation or something, and come after him.
But I suspect there is no recourse, and the blame lies squarely with the architects of the smart contract who let some smarter smartypants outsmart them.
Steven Boykey Sidley is a Professor at JBS, University of Johannesburg. This article was first published in Daily Maverick
New to trading? Try crypto trading bots or copy trading