Hacker drains $90 million from Mirror Protocol; discovery seven months later

The Terra-based DeFi protocol Mirror was the target of an exploit for more than $90 million. It was uncovered by analyst FatMan and confirmed by cybersecurity firm BlockSec.

As pointed out by many followers (thanks very much), the attack transaction can be viewed on the ‘classic’ chain(https://t.co/9nmweKv1hC).

We have made a clarification here:https://t.co/Sqj5jet6Ij

— BlockSec (@BlockSecTeam) May 29, 2022

To open a short position on Mirror Protocol’s synthetic asset, collateral (UST, LUNA Classic and mAssets) must be locked for at least 14 days. After the operation is completed, the tokens can be withdrawn back to the wallet.

To establish asset ownership, an identifier generated by the smart contract was used. Because of a vulnerability the protocol could not block multiple withdrawals by the same user. In October 2021, an unknown person uncovered this, causing losses totalling $90 million — the amount was hundreds of times larger than the collateral he had locked.

BlockSec explained that this became known only now because Mirror’s site did not display data on the amount of collateral deposited by users. Another factor was the community’s insufficient attention to blockchain data analysis on Terra compared with Ethereum and EVM-compatible networks.

In May, a few days after the Terra collapse, Mirror Protocol fixed the exploit. On the forum, the team left unanswered a question about whether anyone had exploited the vulnerability.

Recently an unknown actor withdrew another $2 million from Mirror amid issues with oracle price display. This vulnerability was spotted by a Mirroruser community member and confirmed by FatMan.

Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting — the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)

— FatMan (@FatManTerra) May 30, 2022

Analyst warned that the hacker could also do the same with mAsset pools, risking a build-up of hopeless debt and the protocol’s collapse. Access to them was suspended until the start of the pre-market trading session.

The situation was saved by the weekend and Memorial Day in the US, when the stock market was closed.

Developers heeded the expert’s advice. They disabled the use of mBTC, mETH, galaxy and mDOT as collateral, preventing a “catastrophe”. As a result, the attacker lost the ability to drain liquidity pools.

Crisis averted — in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol — thank you! https://t.co/o64SVIRBmZ

— FatMan (@FatManTerra) May 31, 2022

Earlier in May, FatMan suspected Terraform Labs CEO Do Kwon and venture capitalists of manipulating Mirror Protocol.

YouTube – Subscribe to ForkLog’s channel!