Is something rotten at Mango DAO?

A version of this article appeared in our The Decentralised newsletter on May 14. Sign up here.

GM, Aleks here filling in again for Tim.

Here’s what caught my DeFi-eye recently:

• Mango DAO’s trouble didn’t end with Avi Eisenberg.
• Vitalik Buterin’s Ethereum wallet proposal.
• Hacker returns millions in stolen Bitcoin.

Mango DAO leaders respond to buyback controversy

Most of our readers are probably familiar with the 2022 exploit of Solana DeFi protocol Mango Markets, in which infamous trader Avraham Eisenberg managed to swipe about $110 million in crypto.

Eisenberg returned a good chunk of the money to the Mango DAO, the digital cooperative that manages the protocol. Mango’s been limping along since then, with deposits a mere fraction of their pre-exploit highs.

But it wasn’t exactly left for dead. After scrutinising recent moves by DAO leadership, critics think something smells rotten.

Senior Mango DAO contributors John Kramer and Max Schneider have been accused of buying 333 million MNGO governance tokens and subsequently pushing through a proposal to sell them back to the DAO at an inflated price for an alleged $3 million profit.

My colleague Tim Craig contacted both. They have denied the accusations.

But questions remain.

The MNGO tokens were purchased from the estate of collapsed exchange FTX. Onchain evidence suggests that Schneider and Kramer’s trading firm, called CKS Systems, may be behind the purchase.

DL News asked Schneider if CKS Systems bought FTX’s MNGO tokens. He declined to comment.

Vitalik wants to make Ethereum wallets more user-friendly

Let’s be real: Using crypto can be terrifying, with the irreversible transactions, the missing or forgotten keys, etc.

The solution? “Account abstraction,” which brings a Web 2-style experience to crypto. Think: passwords and usernames, for example.

Account abstraction has been around for more than a year. But it hasn’t caught on, with an Ethereum Foundation fellow calling the so-called “smart accounts” that use AA the “second-class citizen[s] of the network.”

Enter the itinerant software developer (and Ethereum co-founder) Vitalik Buterin.

Buterin recently authored a proposal that would make it possible for existing wallets to use AA. At the moment, Ethereum users have to go through the hassle of creating brand-new smart accounts.

“It’s still a very early proposal, so we need to evaluate all the rough edges,” Ethereum core developer Marius van der Wijden told DL News.

If successful, the proposal will unlock new transaction types, prevent users from losing access to their funds through email recovery, and even facilitate new use cases for the top smart contract network.

Dubbed EIP-7702, the proposal will probably be included in Ethereum’s next major upgrade. That upgrade is scheduled for the fourth quarter of 2024.

Bitcoin hacker returns funds for “bounty” … but doesn’t keep the bounty

I’ve seen a lot of crypto hacks. Most of them go something like this:

The hacker drains a protocol. The protocol’s representatives, leery of a time-consuming manhunt, tip their hat, and make an offer: return 90% of the crypto, and we’ll pretend this was a “bug bounty” — payment for the service of finding a vulnerability in our design. No calling the police, no pressing charges. The hacker usually ignores this request.

Not this time.

A couple weeks ago, someone nabbed a staggering $72 million in wrapped Bitcoin tokens — Bitcoin on the Ethereum blockchain.

It was a classic phishing attack, in which the hacker convinced the victim to send their crypto to the wrong address. (Where’s account abstraction when you need it?)

But the victim and the hacker agreed to a deal that will see the return of 90% of the funds. Both parties negotiated the deal via onchain messaging and Telegram chats.

“You’ve won, brother. You can keep 10% and return the 90%. We can act like nothing happened,” the victim communicated to the hacker via onchain messaging on May 4. “We both know $7 million is enough to live very comfortably, but $70 million will keep you up at night.”

The saga took another turn on Friday.

According to onchain data, the hacker returned all the crypto. It wasn’t immediately clear why they didn’t keep their 10%, but crypto security firm Match Systems put out a statement saying it had assisted in the recovery.

“At the moment, the victim has no complaints against the attacker. Further comments will be later,” Match said.

Data of the week — ZkLink’s surge

ZkLink Nova, a new, layer 3 blockchain, had a good weekend:

It wasn’t just transactions. According to data from DefiLlama, crypto deposited in ZkLink Nova’s DeFi ecosystem has more than doubled since Friday.

This week in DeFi governance

VOTE: Uniswap wants to get people more active in governance.

VOTE: Arbitrum wants to get into M&A.

VOTE: Aave looks to fund GHO’s stability modules.

Post of the week

Billionaire Mark Cuban defends crypto amid a series of posts in which he slams Securities and Exchange Commission chair Gary Gensler’s treatment of the industry.

Are you asking about cash or crypto ? For crypto: lower cost of capital transfers, immediate collateralized loans, store of value , tokenization of assets, application and retention of royalties to digital assets like books, real time, low cost insurance markets , cold storage… https://t.co/McAXGsfvIG

— Mark Cuban (@mcuban) May 12, 2024

What we’re watching

Crypto from the 2017 hack of Parity, the company behind the Polkadot blockchain, is on the move:

🚨ALERT🚨 In 2017, a vulnerability in Parity Multisig Wallet version 1.5+ led to the theft of over 150K ETH, valued at approximately $30M USD at the time.

The hacker behind this theft has demonstrated remarkable patience, marking a significant chapter in crypto history. Today,… pic.twitter.com/JPD5nJcmrJ

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) May 13, 2024

In 2017, the hacker stole 150,000 Ether, worth about $30 million at the time. On Monday, the hacker began laundering about $9 million in Ether. They control a wallet that holds about $250 million in Ether.

Got a tip about DeFi? Reach out at aleks@dlnews.com.