MangoFarmSOL is unrelated to the other Solana-based mango-themed project, Mango Markets, which was exploited in October 2022 for more than $100 million.
However, investigation by the CertiK blockchain security firm suggests that the "hack" may have been an inside job, with much of the $1.5 million that was "stolen" going to wallets with links to the Narwhal team.
The Narwhal project had launched in mid-December.
On January 6, the project's creators drained the tokens that had been put into the project, then deleted their website and social media accounts. Altogether, they withdrew 558.3 ETH (~$1.25 million).
In July 2023, an attacker stole $37.3 million from the CoinsPaid platform. CoinsPaid said at the time that they suspected the attacker was the North Korean Lazarus hacking group, which has been a prolific perpetrator of cryptocurrency thefts.
CertiK quickly regained control of the account and deleted the tweets, later explaining that an employee had been contacted by a "verified account, associated with well-known media". The journalist's account, apparently compromised, successfully phished the CertiK employee by sending what looked like a Calendly meeting scheduling link, but what was in fact a malicious link used to take over the CertiK Twitter account.
Blockchain sleuth zachxbt criticized CertiK, which describes itself as a leading blockchain security firm, for not protecting against the attack, and asked if they would be reimbursing phishing victims.
Gamma has contacted the hacker to try to negotiate a return of some of the assets, and also says they have engaged law enforcement. Although they have promised to try to repay some of the stolen assets, they are estimating between 25% and 40% recoveries for various categories of users.
- "Post-Mortem & Remediation Plan", Gamma Strategies [archive]
- "DeFi protocol Gamma Strategies suffers an estimated $3.4 million exploit", The Block [archive]
Radiant Capital sent an on-chain message to the attacker, offering to negotiate a bounty.
"I just got scammed out of $125k of stEth while trying to claim the $LFG airdrop. And I'm a fking founder of a wallet startup that's trying to improve wallet security..." wrote Lou on Twitter. "This is the first time I've been scammed. I always read about others but you never think it could happen to you..." he wrote.
If the founder of a wallet security project can't avoid scams in the crypto world, what hope do the rest of us have?
Orbit began sending the attacker on-chain messages, writing that "we will track you down and restore the damage you incurred to the ecosystem. And we will not stop." Orbit also wrote on Twitter that they were working with various law enforcement agencies.
The attack was perpetrated by the Pink Drainer group, which had recently compromised the Twitter account of Compound Finance to try to lure its more than 250,000 followers into authorizing the malicious drainer. It's not clear if that's how this wallet was drained, however, as Pink Drainer uses numerous strategies to attract victims.