Following a $117 million exploit on Oct. 11, the Mango Markets community is set to make a deal with its hacker, allowing the hacker to keep $47 million as a bug bounty, according to the decentralized finance (DeFI) protocol governance forum.
The proposed terms reveal that $67 million of the stolen tokens will be returned, while $47 million will be kept by the hacker. 98% of the voters, or 291 million tokens, have voted in favor of the deal, which also stipulates that Mango Markets will not pursue criminal charges on the case.
With the quorum reached, the voting is likely to happen on Oct. 15. The proposal stated:
"The funds sent by you and the mango DAO treasury will be used to cover any remaining bad debt in the protocol. All mango depositors will be made whole. By voting for this proposal, mango token holders agree to pay off the bad debt with the treasury, and waive any potential claims against accounts with bad debt, and will not pursue any criminal investigations or freezing of funds once the tokens are sent back as described above."
On Twitter, members of the community reacted to the development:
Mango hacker securing himself a ~$47m bug bounty.
— Hsaka (@HsakaTrades) October 14, 2022
Biggest crypto bounty by far?
The current bounty going rate of 10% of exploited funds is going to need to be repriced lmao. pic.twitter.com/FcHkEbwY7u
The proposal has been questioned at the governance forum as well, as stated by one voter:
"Agree 100% that making users funds whole ASAP is the top priority but a $50m "bug bounty" is ridiculous. At most the exploiter should get their costs back ($15m?) plus $10m. $10m whitehat bounty is what was offered to the $600m wormhole hacker. Mango can negotiate better than this, especially given the exploiter is essentially doxed."
The hacker performed the attack by manipulating the value of the MNGO native token collateral, then taking out “massive loans” from Mango’s treasury. After draining the funds, the hacker demanded a settlement, filling a proposal on the Mango Market's decentralized autonomous organization (DAO) forum asking for $70 million at that time.
Moreover, the hacker has voted for this proposal using millions of tokens stolen from the exploit. On Oct. 14, the proposal reached the required quorum to pass. In exchange for the settlement, the hacker requests that users who vote in favor of the proposal agree to pay the bounty, pay off the bad debt with the treasury, waive any potential claims against accounts with bad debt and not pursue any criminal investigation or the freezing of funds.