Over $2M lost as Mirror Protocol gets exploited; LUNA the culprit?

Terra seems to be on a streak of bad luck. The Do Kwon-led network was just celebrating the launch of its brand new chain and asset, LUNA 2.0. Amidst this, a DeFi platform on the Terra blockchain, Mirror Protocol was exploited. Currently, the app had lost more than $2 million. If this issue persists and isn’t mended by 4:00 AM ET tomorrow, all of the funds are likely to be drained.

The community seemed to be just getting used to the fact that the old and original blockchain is now called Terra Classic while the new one is just Terra. It was revealed that validators of the network had reported that LUNC was worth 5 UST while it was below a micro cent. This mishap allows an attacker to attain $1.3 million in collateral for just $1 in LUNC.

This pricing error reportedly occurred as LUNA validators were running an outdated version of the price oracle.

This is because a majority of the #TerraClassic #LUNC validators are running an outdated version of the price oracle! You can see who is publishing bad prices here https://t.co/cKM9V1VbPh if they have a low missed-oracle vote count they need to update ASAP!!! https://t.co/h5GBrg3UGe

— Todd G | block pane (@blockpane) May 30, 2022

This exploit was reportedly brought to light by a governance participant who goes by ‘Mirroruser’.

Are all pools drained?

Just not yet. Mirror Protocol entails a wide range of pools for cryptocurrencies. It was noted that pools for Bitcoin [mBTC], Polkadot [mDOT], and Ethereum [mETH], were drained. In addition to these, Galaxy Digital Stock’s pool, mGLXY was also hit.

It was further noted that other pools were in danger as well. These tokens tied to the remaining pools would start pre-market trading at 4:00 AM ET. Following this, if the issue isn’t fixed, these pools would be drained as well.

However, at press time, the error was identified and fixed for LUNC.

Mirror Protocol and series of attack

Just last week, “FatMan” a member of the Terra community pointed out that Mirror’s code was exploited ”hundreds of times” starting from 2021. This attack went unnoticed for nearly seven months.

The exploit further caused a loss of more than $30 million as the attacker was able to access other users’ collateral.

By

Leave a Reply

Your email address will not be published. Required fields are marked *