Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tristan Profile picture
@Tristan0x
Oct 12, 2022 17 tweets 8 min read Read on X
1. Quick breakdown of what happened today on @mangomarkets, the movement of exploited funds and who might be responsible. Image
2. For background, the exploit involved an oracle price manipulation attack on the $MNGO market.

Covered in great detail here:
3. TLDR;
Attacker pumped the price of the illiquid $MNGO token from 3c to 91c. The unrealised PnL (marked at >$400M) of positions were in turn able to be used as collateral on @mangomarkets to borrow all assets on the platform and leave it in deficit.
4. Tracing the flow of funds 🔁

On October 11, 2022 19:43 the exploiter `yUJw` funded their account with a total $5.5M USDC from @FTX_Official Image
5. After executing the aforementioned attack, they were able to withdraw roughly $116M of assets.

The $USDC was withdrawn to `41zC`, $USDT to `5C1k`, $MNGO mostly used to launch a sham DAO governance vote and the remaining assets left untouched in the wallet. Image
6. Following the trail of USDC, we see that 57M lands in a @circlepay wallet `41zC` (confirmed by multiple sources + users of circle). Image
7. Of the cumulative ~57M going into `41zC` we can hazard a guess that ~27M of those are moved to Circle's main wallet `7VHU` (containing over 3B USDC).

We're still unsure as to whether this is an attempted redemption for fiat, only @circlepay can really shed light here. Image
8. So what happened to the other ~30M?

This seems to still reside in the `41zC` wallet. Our guess is this is wallet is used to custody funds for bridging on Circle's newly launched Cross-Chain Transfer Protocol.

circle.com/en/pressroom/c…
9. Why do we think this?

Well as it happens, 30M USDC was redeemed on Ethereum starting at 23:16:35, whilst Solana USDC deposits we saw above to their Circle deposit wallet `2NTz` began at 23:14:54. It was then swapped to DAI via 1inch.

2mins apart, quite the coincidence no? Image
10. To make this case even more concrete, the Ethereum address to which it's withdrawn to are under "ponzishorter.eth" ENS domain.

etherscan.io/address/0xadba…
11. Who is ponzishorter.eth?

A few days prior to this exploit, a certain discord user was discussing details of a potential oracle manipulation exploit proof of concept on the order of 9 figures. Eerily similar.

Massive kudos to @realChrisBrunet for discovering this info. Image
12. Thanks to inside sources it turns out his real identity is Avraham Eisenberg and he's got quite a coloured history with respect to hacks and crypto exploits. ImageImage
13. Most recently he rugged to the tune of 10M on his OHM fork project Fortress DAO.

@zachxbt and others cover this below:

rattibha.com/thread/1491089…
14. Now it's down to @FTX_Official and @circlepay who have the KYC information to show undeniable evidence (unless the accounts are stolen or KYC docs faked).

Deposit from FTX: solana.fm/tx/4aPwYv5fKGK…
Exploiter's Circle deposit address: solana.fm/address/2NTz7V…
15. Truly hope that all funds are returned to users who lost money today.

Likewise, hoping the undeniably excellent @mangomarkets team bounce back from this quickly - DeFi needs more smart and dedicated teams like them.
16. Kudos to @0xFA2, @zachxbt and many other anons who helped piece together some of the clues and trawl through on-chain txes all day.
17. Looks like this is not his first rodeo either. He's pulled same old trick before as @wilburforce_ highlights:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tristan

Tristan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Tristan0x

Tristan Profile picture
Feb 9
SOLANA 2.0

The recent episode of @Lightspeedpodhq with @aeyakovenko was a certified banger. Toly outlines a the latest and greatest coming out on the @solana roadmap and there's plenty to be excited about.

I listened to it on the plane and took some intern notes for y'all 🧵 Image
1/ One of Solana's key design choices is allowing direct access to the leader and processing transactions as a stream, leading to the fast block times we see.

Ethereum as we know uses the mempool design which is highly censorship resistant but slow due to gas auctions.
2/ There's no silver bullet though. For this speed boost, Solana lends itself to mass transaction spam (effectively DDoS of the network).

The solution? QoS and better priority fee markets to penalise write locked accounts
solana.com/news/solana-ne…
Read 18 tweets
Tristan Profile picture
Oct 12, 2022
Looks like the Mango hacker had ~$57M USDC withdrawn to 41zCUJsKk6cMB94DDtm99qWmyMZfp4GkAhhuz4xTwePu

This address has been around for a long time (1.5yrs+) and regularly sees 100s of millions in USDC go through it & #3 holder of USDC on Solana. Possibly @circlepay controlled?
Most of the USDC coming in seems to flow out of the wallet in due time as well, although the net balance does grow slowly over time.

You can see the recent hack withdrawal sharply took the balance from 42M to 100M USDC.
Hacker address: solana.fm/address/9BVcYq…

Withdraw address: solana.fm/address/41zCUJ…
Read 7 tweets
Tristan Profile picture
Aug 3, 2022
Tough day for everyone on Solana today, but here's a breakdown of what we know:

1/ At approximately 22:37 UTC yesterday a hacker began a widespread exploit, the extent of which has so far affected $4M+ of assets from 9.2k+ unique wallets.
2/ During the initial phase, funds were extracted at an aggressive pace with hundreds of thousands of dollars being lost minute to minute (all sizes here are converted to USD).

At 23:19 as we thought things were subsiding, another enormous outflow occurs in the order of $1-2M.
3/ I can't be certain if something changed in their strategy or whether they just happened to stumble across a number of large wallets (requires more digging).

As you can see at both peaks the average size of transactions is orders of magnitude higher, and predominantly in USDC.
Read 21 tweets
Tristan Profile picture
May 28, 2022
I earned $1.4M in arbitrage profits on Solana in a single transaction. Here is how I did it.

A lot of people are messaging me about how to get started so I thought I would make a basic outline.

More detailed article to come so make sure to follow.

A thread 🧵
1. Programming fundamentals

It goes without saying that you need to have adept programming skills to make money doing MEV. I recommend starting with Scratch because of its extremely powerful visual programming model. Don't bother with outdated languages like Rust and C++ 👎
2. Learn arbitrage basics

Arbitrage is when the price differs between two different exchanges. The hidden secret of MEV is to buy low and sell high 🤯

On fast blockchains like Solana, the block times are faster which means more MEV 💰💰💰
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(