Mirror Protocol, a DeFi application built on the old Terra blockchain, was attacked by a $90 million exploit in October 2021, and it remained entirely undiscovered until last week. The attacker was able to unlock collateral from the protocol multiple times while just paying a little fee each time.
Terra’s DeFi Attacked Seven Months Ago
A pricey Terra DeFi exploit went unreported for seven months until last week. Mirror Protocol, built on the Terra blockchain, allowed users to employ synthetic assets to take long or short positions in tech stocks.
The protocol’s operating mechanism, however, was hacked for $90 million. The Terra chain DeFi attack was first found last week by a Terra community member and analyst named “FatMan,” and has now been confirmed by security analysts BlockSec.
Community members uncovered a weakness in the Mirror Protocol’s code on May 17th, allowing a hacker to drain up to $90 million starting October 8th, 2021.
According to FatMan, who says he discovered the hack by “pure serendipity,” the attacker stole $89,706,164.03 from the protocol thanks to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”
The Terra Classic on-chain statistics revealed that the attacker was able to release UST funds from the protocol many times within the same transaction for only $17.54 each time.
By studying the precise exploit transaction, security firm BlockSec confirmed the community member’s findings.
How It Happened
Users have to lock collateral for at least fourteen days in order to bet against a stock on Mirror. The original Terra digital currency, LUNA, was included with this collateral (now LUNA Classic or LUNC). mAssets and the now-defunct stablecoin UST were also involved.
Users were able to unlock the collateral and return the monies to their wallets once the trade was completed.
Furthermore, the use of smart contract-generated ID numbers assisted this procedure. The lock contract of Mirror Protocol, however, was unable to check whether a user had previously used the same ID to withdraw funds due to the presence of a bug.
However, the Mirror’s lock contract apparently failed to check when someone used the same ID to withdraw funds many times due to a fault in the code.
In October 2021, an unidentified entity discovered that a list of duplicate IDs could be used to repeatedly unlock hundreds of times more collateral than they had. This essentially meant that the criminal may withdraw funds without permission.
A New Attack
On May 30th, just days after the discovery, the DeFi protocol was targeted again.
According to reports, the newest hack was prompted by a flaw in the setting of the company’s price oracles, which allowed the attacker to take advantage of a price disparity between the old LUNC and new LUNA tokens.
The Terra nodes were running obsolete oracle software, which allowed the attack to take place. The hacker stole upwards of $2 million from the protocol, according to the Chainlink community member who discovered the attack.
Terra/USD consolidates after near-zero crash. Source: TradingView
This isn’t the first time a hack has gone unnoticed for a brief period of time. In March 2022, hackers stole $600 million from the Ronin sidechain, and it took a week for anyone to notice. It wasn’t until users discovered they couldn’t withdraw their money that anyone realized there was a problem.
Mirror Protocol, which is being investigated by the Securities and Exchange Commission, has yet to make an official statement on the situation.
The Mirror Protocol team has yet to issue a statement regarding the exploit, prompting community outrage. FatMan, on the other hand, believes that there is “compelling evidence” that the hacker was an insider.
While this isn’t the first DeFi exploit in history, it is the one that has taken the longest to be discovered. Terra is under a lot of scrutiny as the pressure piles.
Related Reading | Not So Great Wall: How China Failed Miserably To Ban Bitcoin Mining
Featured image from Shutterstock and chart from TradingView.com