Mirror Protocol, a DeFi application, succumbed to a $90 million attack on the old Terra blockchain in October 2021, and it went absolutely unreported until last week.
Using the Mirror protocol, users may take long or short positions in tech stocks. It was constructed on Terra, which went bankrupt earlier this month after its main stablecoin lost its peg to the US dollar, pulling down its sister token Luna with it. (The blockchain is now known as Terra 2.0, whereas the original chain is known as Terra Classic.)
The exploit was found by “FatMan,” a Terra community member and analyzer. He has been one of the most vociferous opponents of the new Terra blockchain’s recent introduction.
By studying the precise exploit transaction, security firm BlockSec confirmed the community member’s findings. BlockSec confirmed that an exploit occurred.
How did the exploit take place?
Whenever someone wished to bet against a stock on Mirror, they had to lock collateral for a minimum of 14 days, including UST, LUNA Classic (LUNC), and mAssets.
After the trade was completed, users could unlock the collateral and return the funds to their wallet. All of this was accomplished with the use of smart contract-generated ID numbers.
However, the Mirror’s lock contract apparently failed to check when someone used the same ID to withdraw cash more than once owing to flawed programming.
In October 2021, an unknown entity discovered that they could repeatedly unlock hundreds of times more collateral than they had by using a list of duplicate IDs. This essentially indicated that the culprit might remove monies without being authorized.
According to blockchain records, this entity drained approximately $90 million in total.
Seven months of going undetected
The Mirror vulnerability may be one of the few instances where, despite the presence of on-chain data, a big breach went unnoticed for an extended period of time. For the interest of transparency, projects are usually quick to report security events.
According to BlockSec, the vulnerability remained unreported because fewer people were looking for flaws on Terra compared to Ethereum and Ethereum-compatible networks.
Furthermore, there was no interface on the Mirror website to examine the overall amount of collateral in the protocol. This made detecting the issue much more difficult without going through a vast volume of blockchain data.
Mirror developers secretly addressed the issue earlier this month, about the same time the UST stablecoin began to crumble. According to a governance debate, a week after the patch, community members began to wonder if there could have been an exploit. It’s unclear whether Mirror’s developers were aware of the exploit.
This isn’t the first time a hack has gone unnoticed for a brief period of time. When hackers stole $600 million from the Ronin sidechain in March 2022, it took a week for anyone to notice. It wasn’t until users discovered they couldn’t withdraw their payments that anyone realized there was a problem.
Mirror Protocol, which is under investigation by the SEC, has yet to provide an official statement on the situation. Mirror and Terraform Labs have yet to react to requests for comment.