The Ethics of Exploitation in DeFi
The recent Mango Markets hack, legality of code exploits, and the ethics of market manipulation in the DeFi
On 11 October 2022, Mango Markets, a Solana-based decentralised exchange, was hacked by a team led by Avraham (Avi) Eisenberg.
The exploit allowed Eisenberg to transfer $114m from Mango Markets into his personal accounts.
Four days later, he published a victorious tweet thread stating, “I was involved with a team that operated a highly profitable trading strategy last week.”
If you’re ever planning to hack a platform for hundreds of millions, it’s usually best practice to get as far away from the crime scene as possible.
Yet in a very serial-killer-esque manner Eisenberg went to Twitter to explain exactly how he did it.
Eisenberg even claimed that the exploit was perfectly legal, undertaken with ‘legal open market actions, using the protocol as designed’.
He later felt bad about expropriating millions of customer deposits, so ‘kindly’ reached an agreement with the Mango DAO to return $67m of it — still leaving a tidy $47m personal profit.
I’m not going to spend my word count discussing the legality of his actions. I have no doubt that the courts will spend the next several months determining the legal issue.
Eisenberg is being sued by Mango DAO for the $47m plus damages, the CFTC for market manipulation, and the SEC for violations of federal securities laws.
If the entire $47m isn’t clawed back, it’s likely that a good portion of it will be spent on legal fees.
Putting the legal question aside for a second, the ethical question is equally interesting.
Let’s recall a central DeFi norm — the idea that ‘code is law’. I find this phrasing a little problematic. It is intended to highlight the paramountcy of code, but forgets that functional code is not infallible.
Code can work exactly as written, yet still be open to exploitation.
If code is law, and code is used to attain a monetary advantage, there is technically nothing wrong.
The code has operated as written. It’s not a valid legal (or even crypto ethos) solution to say, ‘oh but that’s not what we intended the code to do’.
Luckily, market manipulation is illegal regardless the conundrum above. If code enables market manipulation, and somebody manipulates the market, they’ll face charges for market manipulation!
Price vs Value
Price vs value is a week 1 topic in the University of Sydney Valuations course that I took in the first half of 2020. It’s fascinating to see how often it props up.
So let’s take a look at the exploit itself, which involved
1) Pump the price of the Mango (MNGO) token;
2) Profit from this pump;
3) Borrow $116 million against these (unrealized) profits, then;
4) Withdraw those funds from Mango Markets.The exploit was a textbook example of cross-market manipulation. Within ten minutes of opening a massive Mango perpetual futures position, Eisenberg bought $4 million worth of MNGO on three separate exchanges, pumping its oracle-reported price by 2,300 percent.
This is a textbook price vs value problem. The ‘oracle-reported price’ was theoretically correct.
The issue was that the inflated price didn’t reflect the underlying value of the tokens. It was temporarily distorted by the spike in demand-side liquidity.
Now clearly there was an issue with the risk management within Mango Markets’ platform. It had poorly constructed code which permitted large borrowings which used the native token (MNGO) as collateral.
If this is ringing bells, it’s very similar to how FTX and Alameda allegedly used FTT as collateral for its leveraged positions.
Price vs value distortions are not unique to crypto. We’ve seen it before in the GME and AMC short squeezes. Arguably, retail investors were manipulating the markets to squeeze out hedge fund short positions. There was no inherent issue with the price of these stocks as they began to moon. Maybe there was simply divergence of price and fundamental valuation.
Or was there? You could argue that the GME and AMCs of the world attained an additional premium of ‘value’ derived from the social movement on Reddit. These Redditors believed so strongly in the ‘stock go up’ and ‘HODL’ mentality that they were willing to buy the stock at higher and higher prices. Maybe price and value were never divorced at all…
But back to the culpability issue. When GME pumps, nobody seems to get into major trouble (except maybe Roaring Kitty). Mango Markets gets hacked, and Eisenberg is arrested with a million lawsuits shoved down his throat.
I guess the difference is that it’s difficult to charge a Reddit thread for market manipulation. But if you go straight to Twitter to gloat about highly profitable trading strategies, you’re an easy target.
Key takeaway: don’t gloat on social media about your successful code exploits.
Just kidding…
Market manipulation is bad, but there’s clearly a grey line in the DeFi space.
Code is meant to be law, so it’s paradoxical to say ‘code is law, code is law’ and then turn around and reject the code the second something goes ‘wrong’.
All’s well and good when code performs how you want it to do. But if it also allows people to do things you didn’t want them to do, it’s no longer law and now we roll it all back. It’s for the customers people!
The whole reason crypto is so appealing is because it’s censorship-resistant.
DeFi code is intended to run without interference, even corrective interference.
If you make a mistake, you shouldn’t be able to go back and course correct for unforeseen circumstances.
These mistakes need to be caught at the design and implementation phase.
Fortunately, these types of hacks are beneficial for market efficiency.
No DeFi protocol (that isn’t blatantly negligent) will ever make this code mistake again. It strengthens the industry as a whole.
Nobody likes it when a black hat hacker walks away with millions. Neither do I. But is code law or not?
