Terra community member, last week, accidentally discovered the exploit. Security analysts BlockSec confirmed the exploit.
DeFi application Mirror Protocol was victim to a $90 Million exploit on the Terra blockchain in October 2021. It went unnoticed for almost a week.
Mirror protocol allows users to take long and short positions in tech stocks using synthetic assets. It was built on Terra. The main stablecoin, Terra, fell to the US Dollar earlier in the month, and Luna, its sister token, also collapsed. Terra 2.0 has been created from the blockchain, and Terra Classic is still in existence.
The exploit was discovered in Terra by an analyst named FatMan. He was one of the most vocal opponents to the launch of Terra’s new blockchain.
BlockSec confirmed community members’ findings by analysing the exploit transaction. BlockSec confirmed that an exploit took place.
What was the secret to this exploit?
If someone wanted to place a bet against Mirror stock, they needed to lock collateral — including UST and LUNA Classic(LUNC) — for a minimum period of 14 days.
Users could use the collateral to unlock the funds and return them to their wallets after the trade was completed. This was possible thanks to smart contract-generated ID numbers.
Buggy code meant that the Mirror’s lock contract failed to verify that someone was using the same ID to withdraw funds more than once.
One unknown entity discovered that they could repeatedly unlock hundreds of more collateral by using a list of duplicate IDs in October 2021. The perpetrator could then withdraw funds without authorization.
According to Blockchain records, this entity took out approximately $90 million.
Unnoticed for seven consecutive months
Mirror may be an example of a rare event where, despite having on-chain data, a major attack went unreported for quite some time. Projects are often quick to report security incidents for transparency’s sake.
BlockSec stated that the exploit was likely to go unnoticed due to fewer people scanning Terra for issues compared with Ethereum and other compatible chains.
A Mirror website did not have an interface that allowed you to see the total collateral within the protocol. It was therefore difficult to spot the vulnerability without having to go through large amounts of blockchain data.
Earlier in the month, Mirror developers fixed this vulnerability. This happened around the time that the UST stablecoin was about to crash. A governance discussion revealed that community members started to wonder if there had been an exploit a week after the patch was applied. It is not clear if Mirror developers knew about this exploit.
However, this isn’t the first hack that has been caught on the radar. It took a week for anyone to realize that hackers had stolen $600 million from Ronin’s sidechain in March 2022. Only when users realized they couldn’t withdraw their funds, did anyone notice that there was a problem.
Mirror Protocol is currently the subject of an SEC inquiry. However, they have not yet made any official comments on the matter. A request for comment has not been received from Terraform Labs or Mirror.