mgnr.io ❤ Maple.finance
tl;dr: mgnr.io took millions of uncollateralised USDC from Maple.finance, used those millions to farm MPL and dump on MPL holders. This was done, over months, either without Maple noticing, or with their blessing.
I would like to present the on chain evidence for the following:
1. Maple recklessly allocating capital to actors that fuck MPL token holders.
2. mgnr doing said fucking.
3. mgnr not having the decency of mixing their tokens through a CEX, (speculation: like the rest of the borrowers do.)
4. Orthogonal trading and Maven11 Capital being incompetent pool delegates (speculation: might be malice and not incompetence).
To understand the problem, we first need to understand what service Maple are offering.
Maple.finance is a marketplace where anyone can lend funds, but only approved institutions can take borrow. Lenders are incentivised with the MPL token to lend USDC to the pool. The people doing the vetting process are called delegates, with Maple “overseeing” the process.
To be given a loan, the institution must provide information for the purpose of the loan and prove their credibility to the delegate who then decides if the loan application is approved. The application and approval process is not public, which is where historically things tend to get murky.
Let’s see how well those pools are “managed” by the delegates and Maple’s “oversight”…
mgnr Loan #1: 4M USDC, approved by Josh Green Orthogonal Trading
The beauty of this play is having 0 smart contract risk while getting to yield farm with millions of USDC, which are not out of pocket.
Following the loan on chain:
Borrow 4M USDC from Maple https://etherscan.io/address/0x9002eb1a5d2c47ca7d9d91aced6182dc85667ede#tokentxns
Transfer to a 2nd wallet https://etherscan.io/tx/0x727b2088677997a48113a5c1a9ecdb5470b5a63c839675c59a7b923949b80cea
Double dip with 2M by lending them back to Maple.
https://etherscan.io/tx/0xfb4d1fe856a25626621bab66c538c4ed8d1ab9003d42ec0c299557bf1aeaf243
In the case Maple contracts get exploited, and mgnr have to repay the loan, they can claim that Maple lost their funds which they deposited into Maple, and thus default on the loan, or repay once Maple reimburse the victims.
Zero risk.
Token printer go Brrrr https://etherscan.io/token/0x33349b282065b0284d756f0577fb39c158f935e6?a=0xb079f40dd951d842f688275100524c09bef9b4e2
Effectively profiting 1.15M$ in ~200 days.
What seems to be the problem you might wonder? Well, there are 3.
1. When taking out a loan from Maple, mgnr are to provide a reason for the loan, and detail how those funds are going to be used in order for the loan to be approved by the delegates. Which leaves two options:
The first option, the reason provided was “farm MPL” if that is the case the delegate has not done their job.
The second option is mgnr provided a different reason when applying and tricked the delegate.
2. Regardless of the two options above, the delegate can watch the funds lent and see if they indeed follow the reason for the loan, which the delegate failed to do.
3. No one from Maple noticed, this easily spotted behaviour, since there is no incentive to spot such abusive actions. TVL numba up, Maple happy.
And if you’re not caught the first time, double down…
mgnr Loan #2: 8.5M USDC, approved by Balder Bomans Maven11
Following the loan on chain:
Borrow 8.5M USDC from Maple https://etherscan.io/address/0x9ed6235ab7ccda3032de10cae9342bf55500a73f#tokentxns
Transfer to a 2nd wallet https://etherscan.io/address/0xe79bc301e7dfaeb5eb0a3cc3be3ab71cf721ae6f#tokentxns
Deposit 8.45M back to Maple: https://etherscan.io/tx/0x15d39ad7e2ac80afdcff0f3f8353fddbdc9f4308d7c5b10429796206f345825a
Dump flow:
Collect reward https://etherscan.io/token/0x33349b282065b0284d756f0577fb39c158f935e6?a=0xe79bc301e7dfaeb5eb0a3cc3be3ab71cf721ae6f
Dump for profit
https://etherscan.io/tx/0x839f9d9d7f44e30c63e9f1bb1b04cba72a60381d956009ced03f874e81ff9e8b
Here we have the original 3 problems, plus a new one.
4. Maven11, the delegate approving the loan, could have looked at the previous loan and see where the previous loan went, before approving the new loan. Which they did not. Nor has anyone from Maple noticed what was happening.
Speculation section:
I’m assuming that mgnr.io are not the only actor taking advantage of this play. The rest just had a bit more sense as to go through a CEX first and not be sloppy/arrogant enough to deposit directly back.
I’m also assuming that cross delegate loans, where one delegate approves loans to the other are not a healthy practice.
Furthermore, Maple and its delegates approving loans to seed round participants is probably a result of special treatment.
Suggested courses of action:
1. Mngr.io return the farming rewards to Maple.
2. Maven11 and Orthogonal trading are relieved of their delegate duties.
3.The fees that were given to Maven11 and Orthogonal are to be donated by them to Gitcoin grants, since clearly they did not do the work and got paid.
4. The loan purpose becomes public and shared with the Maple community, so that the community can track use of the funds for that purpose.
