Most prominent audit firms decline to work with crypto clients

On Tuesday, federal authorities announced the arrest of Avraham Eisenberg, a crypto trader who conducted what he characterized as a “highly profitable trading strategy” that drained $110 million from Mango Markets, a decentralized crypto exchange. While the complaint details Eisenberg’s activities, none of it will come as a surprise given that the entire operation publicly played out on the blockchain (and in real-time on Twitter). Days after the action, Eisenberg even tweeted he was responsible and would be returning a large portion of the funds.
While Eisenberg’s arrest is likely to raise questions around the application of commodities manipulation and fraud laws to crypto, the more important issue raised by this case involves the work of individuals to uncover weaknesses in decentralized protocols, and the impact and utility of these operations for the future of crypto.
Gareth Rhodes, a managing director at Pacific Street, formerly served as deputy superintendent and special counsel at the NYS Department of Financial Services.
Mango Markets is a crypto trading platform where users can buy, sell, lend and borrow crypto tokens. While Coinbase and Binance are centralized and operate like exchanges in traditional finance, Mango and other decentralized finance (DeFi) exchanges such as Uniswap and Aave are fully decentralized. All transactions are conducted on the blockchain, transparent to all. Rules regarding margin requirements, liquidation triggers and the setting of token prices are established by code that is posted on GitHub, and the marketplace operates without human intervention or oversight.
Mango used oracles to set the price of tokens on its exchange (which monitors the average price the same token is listed for on other exchanges) and allows a user to borrow crypto tokens worth approximately 90% of their collateral. Eisenberg took advantage of these features by accumulating a large amount of Mango’s own token, MNGO, then spending millions of dollars in illiquid markets to drive up that token's price more than 1,300%. He then borrowed $110 million in USDC stablecoins against his temporarily inflated MNGO collateral. Over the course of a few hours, MNGO’s price surged, then collapsed and Eisenberg had $110 million in cash, while Mango’s code-driven liquidation engine automatically sold the MNGO tokens for a far smaller value than what Eisenberg “borrowed.”
Eisenberg’s operation was not exactly a surprise, as the risks of such attacks on decentralized collateralized lending are well known and Eisenberg did not invent this strategy. Sam Bankman-Fried, the ex-CEO of FTX, even tweeted his own prescient observations of the danger of using an illiquid token such as MNGO as collateral. Weeks later, the SEC cited these tweets as evidence that SBF “knew, or was reckless in not knowing, that by not mitigating for the impact of large and illiquid tokens posted as collateral by Alameda, FTX was engaging in precisely the same conduct, and creating the same risk, that he was warning against” with Mango.
Eisenberg’s actions were only possible because of DeFi’s foundational principle: code is law. This means computer code, not human beings, must be the decision makers. The Mango community watched Eisenberg’s operation in real time and could do little to stop it. Eisenberg tweeted he was simply “using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.”
Eisenberg is far from the only person who has spent countless hours reviewing a crypto protocol’s code and structure and attempting to attack its weaknesses. These individuals, depending on their perceived and stated intentions, are often met with derision for exploiting these flaws for illicit gain and celebration for pointing out shortcomings that can be fixed and improve protocol resilience. And while no user wants to lose money, if you are a crypto entity seeking to test the resilience of

your protocol, your best option is probably to hope an enterprising hacker will take a deep look and attempt an exploit and return the money. Most prominent audit firms decline to work with crypto clients and while some have suggested government regulation will fix these issues, the SEC examined Bernie Madoff’s firm five times without uncovering the fraudulent scheme.