red 
Decentralized finance (DeFi) protocols have lost nearly $900 million since mid-September, as Solana’s Mango Market became the latest victim following a $118 million exploit. The trading platform was taken down by an attacker who successfully manipulated the protocol’s price prophecy.
The exploit – which took place on the evening of October 11 – was triggered after two USDC-funded Solana accounts took an excessive position on the Mango (MNGO)-Perpetual Protocol (PERP) token pair, causing a short-lived spike in MNGO prices .
Mango Market then released a series of tweets detailing a post-mortem of how the exploitation took place:
Elliptic calculated the value stolen at over $117.8 million across 14 tokens, including Solana (SOL), USD Coin (USDC), Tether (USDT), Mango (MNGO), Marinade Staked SOL (mSOL), and Sollet Bitcoin (SOBTC) .
The attacker has since submitted a proposal to the Decentralized Autonomous Organization (DAO) that controls Mango to return the funds – minus the bug bounty – on the condition that no criminal investigations are conducted and no claims are made for the remaining debts. The exploiter used their voting power – obtained through the tokens they stole – to cast a significant “Yes” vote for their proposal.
Elliptical Analysis: The last 30 days were the most expensive on record for DeFi
Despite the bear market, DeFi is still being targeted by hackers due to its significant profits. The last 30 days have seen major hacks of Wintermute smart contracts (for a loss of $162 million), BSC Token Hub ($569 million), and Transit Swap ($29 million). This means that nearly a third of DeFi assets lost to theft in 2022 were stolen in this period alone.
Even on October 11 – the same day as the exploitation of Mango Markets – three more DeFi incidents have been discovered. These included exploits of Rabby Swap, Temple DAO and a potential vulnerability in ParaSwap’s smart contract which since when it is disputed.
No other 30-day period has been more expensive for DeFi. However, the transparency and difficulty in monetizing stolen funds means that they are often recovered. The funds stolen from Transit Swap have mostly been recovered and it looks like the Mango Market attacker will do the same. Many of the tokens stolen from the BSC Token Hub have also been frozen, although this brings with it debates about the virtues and drawbacks of centralization in the blockchain.
The exploitation trends seen throughout 2022 seem to be continuing – attacks have mainly targeted cross-chain bridges due to their high level of liquidity and operations on less secure blockchains. BSC Token Hub, Transit Swap and Rabby Swap were cross bridges.
Moreover, the two most recent hacks found their place in the Top 10 crypto thefts of all time – with the BSC Token Hub and Wintermute exploits in second and ninth place.
After Tornado Cash, DeFi hack laundering strategies go cross-chain
Before the US sanctions in August, Tornado Cash would likely have been the laundering method of choice for many of these DeFi hackers. However, with Tornado’s liquidity largely depleted, criminals are turning to alternative laundering methods.
Both BSC Token Hub and Mango exploiters used decentralized exchanges (DEX) to exchange tokens. The BSC exploiter also used cross-bridges to move the stolen funds to seven different blockchains – including Ethereum.
Past analysis by Elliptic has already identified over $1.2 billion in stolen cryptocurrency being laundered through the DEX since the end of 2021, along with nearly $300 million being sent via cross-bridges.
Cross crime – especially chain jumping or property jumping – is becoming an increasingly prevalent trend. It is likely to become an increasing choice of money laundering for criminals due to the sanctions against Tornado Cash.
Elliptic recently released its “The state of cross-crime” report these risks to relevant stakeholders. It also launched its new Holistic Screening capability – the next generation of blockchain analytics – to enable virtual asset services and investigators to effectively manage and screen these risks.
Tornado Cash is still used to launder the proceeds of smaller exploits, such as the recent Rabby Swap exploit. You can also check out our recently published briefing note in “Tornado Cash Alternatives”, which provides insight into alternative obfuscation protocols that criminals could use instead.
Elliptic has taken immediate steps to ensure that the crypto addresses belonging to the hackers involved in the incidents mentioned in this article are added to our tools. Virtual asset services and investigators can now inspect wallets and monitor transactions to ensure they are not processing funds originating from these theft incidents.
