Crypto group lets hacker keep stolen $80 million in settlement

“I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are,” according to the account, which claimed to be Avraham Eisenberg.

When reached on Twitter, the user did not immediately provide evidence of his identity. Mr Schneider pointed to the tweet as coming from the hacker, saying he disagreed that the actions were legal.

The payout is likely one of the biggest ever to a hacker.

More than a year ago, PolyNetwork offered an attacker who drained $US610 million from the platform a job and a bounty for returning the funds, which were eventually reimbursed. Bounties can run into millions – but they are typically offered to coders who point out vulnerabilities, not to hackers who steal funds.

“This is a clear failure of secure governance,” said Michael Lewellen, head of solutions architecture at crypto security provider OpenZeppelin.

“If an attacker can steal enough tokens to vote themselves a reward, it sends a signal that DAOs [decentralised autonomous organisations] can be hacked successfully using stolen tokens to avoid repercussions. This signals the need for better governance security that accounts for malicious token voters.”

In the Mango heist, two accounts funded with the stablecoin USD coin took large positions in Mango perpetual futures, causing the price of the Mango token to spike. The price jump stoked an unrealised profit from the futures. The attacker used that to borrow and withdraw about $US100 million, leaving depositors with nothing.

Hacks in crypto are common, with at least $US718 million stolen so far in October alone, taking the gross tally for the year past $US3 billion and putting 2022 on course to be a record for the total value hacked, according to blockchain specialist Chainalysis.

Bloomberg