The Solana DeFi protocol suffered a $117 million exploit yesterday, and the hacker wants 70M USDC in 'bug bounty.'
On Wednesday, one day after $117 million was drained from Solana DeFi platform Mango Markets via a price feed exploit, the hacker responsible for the attack demanded a settlement. The proposal was filed on the Mango Markets decentralized autonomous organization (DAO) governance forum.
If passed, the procedure would involve the hacker sending stolen Mango Markets (MNGO), Solana (SOL), and Marinade Staked SOL tokens to an address provided by the Mango DAO team. Users without bad debt will be remade whole. However, the hacker demands that any bad debt will be viewed as a bug bounty and insurance, to be paid out via the community treasury worth 70 million USD Coin (USDC).
Adding insult to injury, the hacker has voted for this proposal using millions of tokens stolen from the exploit. However, the proposal has not passed the required quorum to pass. In exchange for the settlement, the hacker requests that users who vote in favor of the proposal agree to pay the bounty, pay off the bad debt with the treasury, waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds.
Reactions were, unsurprisingly, overwhelmingly negative, with one user writing:
"You're disgusting. What you did is wrong in every way possible. The responsible thing to do would have been to disclose the vulnerability to the team, NOT EXPLOIT IT. I hope the law enforcement community shows you ZERO MERCY."
Despite the tragic exploit, losses may be lower than previously estimated. For example, Solana stablecoin protocol UXD said that it had a total exposure of $20 million in Mango Markets. However, its insurance fund contains more than $53.5 million in assets and would be more than enough to cover the losses. The vote on the hacker's proposal is ongoing at the time of publication.
UXD Protocol has a total exposure of $19,986,133.9037 in @mangomarkets. Our insurance fund has more than enough capital to cover losses.
— UXDΔ (@UXDProtocol) October 12, 2022
UXD is 100% backed and users will be able to redeem once Mango Markets recovers from the exploit.