Terra-based Mirror Protocol Blocks Exploit After $2 Million Lost
An analyst revealed that the developers of the DeFi app who were “MIA” had reportedly averted a major crisis, but $2 million were drained nonetheless.
Mirror Protocol, a decentralized finance app running on the old Terra blockchain, has reportedly suffered yet another exploit. The exploit was discovered on May 30 by a governance participant “Mirroruser” on Terra Research Forum.
The Exploit
The issue arose from the fact that those oracles mismatched Tera (LUNA) and Terra Classic (LUNC) prices, giving the attacker an opportunity to cheaply obtain the more valuable asset and swap it for other assets used by Mirror Protocol.
Terra analyst and whistleblower known as “FatMan” also confirmed the attack in a series of tweets, shortly after and warned that if the vulnerability remained untreated, it would put all of its pools for tokenized assets at risk. After hours of delay, the devs were able to get the situation under control and further losses were avoided.
Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)
Everything started with a bug in the pricing oracle for Terra Classic validators that enabled the exploit. Mirror Protocol essentially enables users to create and trade mirrored assets, also known as mAssets, that “mirror” or are closely tied to the price of stocks, as the name suggests.
The DeFi app has its native versions for Bitcoin – mBTC, Ethereum – mETH, Polkadot -mDOT, etc., which closely mirror the price moves of the underlying assets. In addition to these pools, buggy oracle enabled the attacker to drain the pool for the token representing Galaxy Digital stock – mGLXY – as well.
The Response
Chainlink community ambassador “ChainLinkGod,” explained that the root cause was that the validators of the old Terra blockchain (Terra Classic) were running an outdated version of the oracle software that published erroneous pricing. The Terra Classic validators were reporting the price of the new LUNA instead of the old LUNC.
In the nick of time, the devs fixed the issue with the LUNC price feed. Mirror Protocol then disabled the usage of mBTC, mETH, mGLXY, and mDOT as collateral which incapacitated the attacker from using the ill-gotten funds to drain the rest of the pools.
Some members of the community have speculated, if the entire event was an insider job, FatMan believes otherwise. In a series of tweets he wrote:
“It really just looks like negligence of the highest order, but given what’s transpired this month, you can’t really put anything past them. I see no reason/evidence to believe this is an inside job at this stage. It’s basically a game of who has the fastest bot.”
This is the second recent attack on Mirror Protocol. An attack from October 2021 went unnoticed until last week, when it was found to have cost the protocol $90 million.
