Terra ecosystem protocol Mirror suffers another attack, multiple funds drained, auditing firm confirms $90 million vulnerability
Community members pointed out on the Mirror Protocol forum that the protocol has lost $2 million due to an oracle vulnerability. The anonymous Twitter user FatMan, who has been exposing Terra for the past few days, also mentioned that failure to address the issue promptly will result in irreparable losses.
Since fixing the vulnerability in early May, Mirror Protocol has not provided any updates on Twitter. The Mirror protocol allows users to use digital assets as collateral to mint and trade tokens pegged to the prices of stocks, bonds, forex, and other assets.
Table of Contents
Mirror Faces Another Attack
Community member Mirroruser posted about this vulnerability on the Mirror forum.
In short, most nodes on the Terra Classic chain are still running outdated versions of the oracle. When the price of LUNC was only around $0.0001, the oracle mistakenly fed the price of Terra 2.0 LUNA at $9 to the Mirror protocol.
This means that the oracle magnified the value of the attacker's LUNC by tens of thousands of times, allowing the attacker to exploit the protocol through the borrowing mechanism, continuously exchanging mismatched real assets.
Currently, Mirror has lost over $2 million. Anonymous Twitter user FatMan pointed out that the following pools have been depleted:
- mBTC
- mETH
- mDOT
- mGLXY
With the U.S. stock market closed for Memorial Day, if the issue is not resolved by 4:00 PM Taiwan time before pre-market trading begins, the attacker may further deplete the remaining pools.
Oracle project ChainLink community ambassador ChainLinkGod also stated that the Mirror case illustrates why oracles should be dynamic rather than static and immutable, and mentioned that Anchor Protocol also encountered a similar vulnerability issue last weekend.
Loss of $90 Million Due to Vulnerability Last Year
FatMan also disclosed on 5/27 that Mirror quietly fixed a vulnerability from last year, which had caused the protocol to lose $90 million and went undetected for 7 months before being discovered by the team. Blockchain auditing firm BlockSec also confirmed FatMan's statement.
When users go long or short on stocks on Mirror, they must lock assets such as UST, LUNA Classic LUNC, and mAssets for 14 days, and only after the trade is completed can users unlock the collateral to retrieve funds.
However, due to a contract vulnerability, attackers were able to repeatedly unlock the collateral. After hundreds of attacks, on-chain data shows that attackers obtained around $90 million.
The development team quietly fixed the vulnerability early in May, causing users to become more suspicious of the existence of this vulnerability. As of the deadline, Terraform Labs TFL and founder Do Kwon were busy promoting the newly launched Terra 2.0 token, and there have been no updates on the Mirror Protocol Twitter account.
Related
- Meme Coin GOAT Born from Mysterious AI Experiment: AI Project Aims to Make Money with Meme Coins, Becoming the Most Powerful Shilling Machine
- Wintermute and dYdX announce launch of prediction market platform to compete for Polymarket market share
- Maker Protocol renamed to Sky, preparing to launch USDS stablecoin.