Insights Header image
Insights Header image
Insights Header image

Part 3 of McMillan Series – DeFi Platform Mango Loses $117 Million in Smart Contract Exploit: Avraham Eisenberg Arrested and Sued

February 8, 2023 Corporate Commercial Litigation Bulletin 7 minute read

In Part 1 of this series, we described a crypto exploit in which a rogue trader drained over $116 million in liquidity from the Solana-based DeFi platform, Mango Markets (“Mango”). We noted that decentralized autonomous organizations (“DAO(s)”) are facing increasing pressure to protect community members from vulnerabilities in smart contracts.

In Part 2 of this series, we analyzed the settlement that Mango negotiated with its exploiter, Avraham Eisenberg. We considered whether that settlement was valid, and identified novel legal issues arising from all settlements between DAOs and exploiters in the DeFi space. The main issue we identified was whether these settlements, which purportedly prohibit token loss holders from seeking remedies in civil courts or from filing criminal complaints with law enforcement, are legally binding.

In Part 3 of this series, we describe two important developments in this fascinating story. Both developments highlight the weaknesses of Mango’s settlement with Eisenberg as law enforcement and loss holders seek to hold him accountable. Both developments also demonstrate the challenges that DAOs have (and will continue to have) when attempting to settle with those who exploit their code.

1.    Eisenberg Arrested

The first update concerns Eisenberg’s arrest.

On December 26, 2022, a few weeks after Sam Bankman-Fried was arrested in the Bahamas,[1] the Federal Bureau of Investigation (the “FBI”) arrested Eisenberg in Puerto Rico.[2] According to now unsealed court documents, Eisenberg faces charges of commodities fraud and commodities manipulation.[3]

A deposition sworn by FBI Special Agent Brandon Racz (the “Racz Deposition”) alleges that Eisenberg “knowingly and intentionally” manipulated the price of a commodity: perpetual futures contracts on Mango Markets.[4]

According to CoinDesk, Eisenberg may be the first US resident to face charges for manipulating a DeFi trading platform.[5]

When we described Mango’s purported settlement with Eisenberg in Part 2 of this series, we noted that many Mango token holders had expressed frustration with the settlement. Token holders were particularly frustrated that: (a) Eisenberg had voted in favour of the settlement with tokens he acquired in the exploit; and (b) the settlement forced token holders to ‘promise’ not to pursue any criminal investigations or freeze any funds against Eisenberg. At that time, we questioned whether DAO settlement proposals to exploiters (and subsequent community votes to ‘validate’ them) constituted valid offers of settlement, and whether they bound token holders at all. There is good reason to believe they do not.

There is also reason to believe that Mango token holders did not abide by the settlement agreement. Based on the Racz Deposition, it appears likely that, notwithstanding Mango’s purported settlement with Eisenberg, certain Mango token holders spoke to the FBI about the Mango exploit. For instance, Special Agent Racz noted that he communicated “with individuals who have knowledge of Mango DAO’s operations”. Racz also wrote that he participated “in discussions with individuals [who are] knowledgeable about [Mango]”.[6] Based on these comments, it appears that one or more token holder(s), who were purportedly ‘bound’ by Mango’s so-called settlement agreement, may have acted contrary to its terms.

Even Eisenberg may have doubted the validity of the settlement agreement. After the Mango exploit, Eisenberg fled the United States,[7] suggesting he had little hope in being protected from civil suits and criminal charges. In the end, Eisenberg did not flee far enough, as his arrest in Puerto Rico demonstrates.

Those who doubted the validity of Mango’s settlement agreement with Eisenberg were likely right. As noted in Part 2 of this series, courts normally find that promises not to file criminal charges are void and unenforceable because: (a) prosecuting criminal charges is in the public’s interest; and (b) “concealing” or “stifling” criminal prosecution is contrary to public policy. Any party who promises or agrees not to file a criminal complaint not only risks rendering that agreement unenforceable, but also risks attracting criminal sanctions for “stifling” prosecution.

In addition to the aforementioned criminal charges, the Commodity Futures Trading Commission[8] and Securities and Exchange Commission[9] have filed their own charges against Eisenberg. These filings raise even more interesting questions about the evolving nature of DAOs and how they are structured.

The filings also restate a message that US regulators are sending loud and clear: When there is evidence of price manipulation, DeFi crypto trading is not immune to scrutiny or prosecution – no matter what smart contract code might permit. This topic will be covered in the next part of our Mango Market series.

2.    Eisenberg Sued

The second development concerns a recent civil lawsuit filed against Eisenberg.

On January 25, 2023, only a month after Eisenberg’s arrest, Mango commenced a private lawsuit against Eisenberg.[10] Mango grounds its claim in three causes of action: conversion, fraudulent misrepresentation, and unjust enrichment.[11]

This development is interesting for many reasons.

One reason is that Mango is suing Eisenberg through a limited liability company (Mango Labs LLC) and is therefore uniquely positioned to recover assets on behalf of its users. In most cases, token loss holders are left to sue exploiters on their own. In other cases, DAO principals or core contributors sue exploiters to recover their own losses and then seek class action certification. By bringing a lawsuit as an incorporated entity, Mango avoids these hurdles altogether.

Another reason this development is interesting is the way in which Mango is trying to extricate itself from its purported settlement agreement with Eisenberg. In its claim against Eisenberg, Mango seeks a declaration “rescinding the settlement and release agreement” between its users and Eisenberg, and declaring it unenforceable.[12]

Mango alleges that it entered the settlement agreement with Eisenberg while under duress. In particular, Mango says there was a “threat” hanging over their heads: the threat that Eisenberg would “retain all of the converted proceeds of his attack.”[13] Accordingly, Mango alleges that its users “had no choice but to vote for the governance proposal” and could not exercise their free will.[14] In Mango’s view, the settlement and release agreements are unenforceable.

This legal challenge is not surprising. It was predicted in Part 2 of this series and in a recent interview with CoinDesk, which is available here.

3.    Looking Ahead

Eisenberg’s criminal prosecution and the subsequent private claim against him raise serious legal questions about the intersection of DeFi exploits and the law. While the public waits for US courts to answer those questions, we can reflect on some interesting lessons we have learned to this point, and which DAOs and other crypto exchanges should keep in mind:

  • First, it is increasingly unlikely that anyone – whether DAO principals or token holders – can validly promise not to file a criminal complaint when attempting to settle with an exploiter. The criminal justice system will almost certainly ignore those promises in favour of public policy considerations, and it will not be hard for law enforcement to find loss holders willing to assist in such an investigation.
  • Second, there is good reason to doubt the effectiveness of a DAO vote in seeking to bind diverse token holders who have disparate interests. DAO users may have a common commercial interest in how the platform operates to create profit, but they are still individual legal persons who are entitled to assert their legal rights when harmed. Moreover, serious conflicts and complications may arise when core contributors or principals attempt to craft proposals and manage votes on settlement offers, making such ‘DAO-wide’ settlements ripe for challenge.
  • Third, Eisenberg’s arrest and the private lawsuit make clear that while crypto investors are pushing the envelope on securities law and financial instruments, they are increasingly turning to traditional forms of dispute resolution and recovery, such as the civil court system, when seeking redress after exploits and attacks.
  • Finally, Eisenberg’s attempt to flee the United States is also a reminder of a reoccurring lesson with DeFi attacks. While DeFi exploiters are quick to defend their actions in online forums and on social media, when it comes to establishing a legal defence to criminal and civil allegations, the ordinary tools and rules of the court system will continue to adapt and will stand the test of time. The Mango exploit is but one example of many DeFi attacks where the exploiter is more than willing to share their defence theories online, but much less inclined to do so in a court of law. In Cicada 137, these authors successfully obtained Canada’s first reported Anton Piller Order (civil search and seizure) over a crypto cold storage wallet.[15] With the exception of one virtual court attendance, the defendant exploiter, Andean Medjedovic, fled Canada and ignored the court proceeding, leading to a warrant being issued for his arrest.

4.    Next In This Series

Mango incorporated as a limited liability company in April 2022 in the state of Wyoming. Luckily, such a corporate reorganization allowed Mango to seek standing to bring the civil suit.

DAOs restructuring and adopting traditional legal personalities in order to operate as an entity that is independent of users or core contributors is a continuing trend in the DeFi space. We are also seeing DAOs starting to create legal defence funds to cover legal expenses not covered by insurance, because of questions surrounding the legal standing of such entities.[16] These developments raise many interesting questions regarding what DAOs are at law, and what they could become.

Our next bulletin will focus on how and why DAOs restructure, and whether it provides effective legal armour in the vulnerable-to-attack DeFi space.

[1] Sam Bankman-Fried was arrested by The Royal Bahamas Police Force and has since been extradited to the United States. See Mary Ann Azevedo, “FTX Founder Sam Bankman-Fried has been arrested in the Bahamas”, TechCrunch+, 12 December 2022, online; and Edward Helmore, “Sam Bankman-Fried headed to US after extradition from Bahamas”, The Guardian, 21 December 2022, online.
[2] Unsealing Order 22 Mag. 10337, United States of America v Avraham Eisenberg, online.
[3] Deposition of Special Agent Brandon Racz, 22 Mag. 10337, United States of America v Avraham Eisenberg, online.
[4] Deposition of Special Agent Brandon Racz, 22 Mag. 10337, United States of America v Avraham Eisenberg, online, at para 2.
[5] Danny Nelson & Nikhilesh De, “Mango Markets Exploiter Eisenberg Arrested in Puerto Rico”, updated January 5, 2023, CoinDesk, online.
[6] Deposition of Special Agent Brandon Racz, 22 Mag. 10337, United States of America v Avraham Eisenberg, online at paras 7 and 16.
[7] Deposition of Special Agent Brandon Racz, 22 Mag. 10337, United States of America v Avraham Eisenberg, online at para 18.
[8] Release Number 8647-23, “CFTC Charges Avraham Eisenberg with Manipulative and Deceptive Scheme to Misappropriate Over $110 million from Mango Markets, a Digital Asset Exchange”, 9 January 2023, Commodity Futures Trading Commission, online.
[9] Release 2023-13, “SEC Charges Avraham Eisenberg with Manipulating Mango Markets’ “Governance Token” to Steal $116 Million of Crypto Assets”, 20 January 2023, US Securities and Exchange Commission, online.
[10] Mango Labs, LLC v Avraham Eisenberg, Index No. 23-CV-665 at para 1.
[11] Mango Labs, LLC v Avraham Eisenberg, Index No. 23-CV-665 at para 1.
[12] Mango Labs, LLC v Avraham Eisenberg, Index No. 23-CV-665 at para 88.
[13] Mango Labs, LLC v Avraham Eisenberg, Index No. 23-CV-665 at para 83.
[14] Mango Labs, LLC v Avraham Eisenberg, Index No. 23-CV-665 at para 84.
[15] Cicada 137 LLC v Medjedovic, 2021 ONSC 8581.
[16] Zhiyuan Sun, “MakerDAO launches $5M legal defense fund”, February 1, 2023, CoinDesk, online.

by Benjamin Bathgate, Reuben Rothstein, Madeline Klimek

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2023

Insights (5 Posts)View More

Featured Insight

Ready for Change? Bill C-59 Rewrites the Competition Playbook

Bill C-59 has been enacted, introducing significant changes to all aspects of Canada’s competition law regime.

Read More
Jun 21, 2024
Featured Insight

BC Court of Appeal Improves Predictability for Employers Relying on Termination Provisions

In a recent decision, the BCCA provides the clarity sought by employers and employees alike for what is needed for an enforceable termination provision.

Read More
Jun 19, 2024
Featured Insight

Corporate Restructuring Meets Intellectual Property: Quebec Superior Court Overturns Disclaimer Notice and Issues the First Canadian Interpretation of Usage Rights under the CCAA

In the context of a restructuring, the debtor's right to resiliate a contract under s. 32 of the Companies' Creditors Arrangement Act is far from absolute.

Read More
Jun 19, 2024
Featured Insight

Court Upholds Shareholder-Employee Loan to Acquire a Residence

Discussion of a recent Court decision that a loan to an owner-manager to refinance his home was not a "shareholder benefit".

Read More
Jun 19, 2024
Featured Insight

Time to Get Tough! CARR Provides Guidance for CDOR Tough Legacy Contracts

CARR released guidance with respect to tough legacy contracts in Canada that don't have workable CDOR fallback language; who this applies to; why it was issued.

Read More
Jun 18, 2024