The Terra DeFi protocol Mirror was the victim of an exploit worth more than $90 million, discovered by an analystFatMan, as confirmed by experts from cybersecurity firm BlockSec.
To open a short position on a syntheticshares in the Mirror Protocol must be blocked by collateral (UST, LUNA Classic and mAssets) for at least 14 days. After the operation is completed, the tokens can be withdrawn back to the wallet.
To set the asset owner, usedID generated by the smart contract. Due to the vulnerability, the protocol was unable to block multiple withdrawals by the same user. In October 2021, this was discovered by an unknown person who caused a total of $ 90 million in damage - an amount hundreds of times higher than the amount of collateral he blocked.
BlockSec explained that this became knownonly now, because the Mirror site did not display data on the amount of deposited by users. Another factor was the lack of community attention to the analysis of data in the Terra blockchain compared to Ethereum and EVM-compatible networks.
In May, a few days after the collapseTerra, the developers of Mirror Protocol have eliminated the exploit. On the community forum, the team left unanswered the question of whether someone managed to exploit the vulnerability.
The other day, an unknown person withdrew another $2 million from the Mirror as a result of problems with the display of quotes by oracles. This vulnerability was discovered by a member of the Mirroruser community and confirmed by FatMan.
Most Validators in the Terra Classic Networkwas using an outdated version of oracles. The latter provided the system with data on the cost of LUNA Classic (LUNC) at the rate of 5 USTC (~$0.12), while the real price did not exceed $0.0001. As a result, the attacker emptied several liquidity pools (mBTC, mETH, mDOT and mGLXY).
The analyst warned that the hacker could alsoto do to the mAsset pools, leading to the accumulation of bad debt and the collapse of the protocol. Access to them was suspended until the start of the pre-trading session of the shares to which they are linked.
The situation was "saved" by the weekend and the celebration of May 30 in the United States of Remembrance Day, on which the stock market was closed.
The developers listened to the expert's advice.They disabled the use of mBTC, mETH, galaxy and mDOT as collateral, preventing a "disaster". As a result, the attacker lost the ability to empty the liquidity pools.
Let us recall that in May FatMan suspected Terraform Labs CEO Do Kwon and venture capitalists of manipulating Mirror Protocol.
Read this:
Analyst Suspects Do Kwon of Mirror Protocol Fraud
Copy-paste | Terra LUNA
Hacker stole $326 million from the Wormhole internetwork protocol, but the parent company of the project immediately compensated for the damage
Russian Binance Users May Be Excluded from Terra 2.0 LUNA Airdrop
The developers launched the main network of the Terra 2.0 project
Crypto investor 8 years later withdrew bitcoins that went up by 45 233%