Devs MIA As Mirror Protocol Suffers Yet Another Exploit

Mirror Protocol is under attack yet again, according to a thread by Twitter user FatMan. The attacker has drained $2 million so far, and this figure could go much higher once markets open on Monday. The only way to stem the tide of the attack is if the dev team steps in and fixes the price oracle. However, so far, there is no word from the Mirror devs. 

Yet Another Mirror Exploit 

Mirror Protocol, a decentralized finance application on Terra, has fallen victim to yet another exploit. So far, the losses have been clocked at over $2 million, and if the bug is not patched by 4:00 AM ET, then all of its pools will be at risk. Mirror Protocol enables users to take long or short positions on tech stocks through synthetic assets and runs on the old Terra blockchain (Terra Classic). 

A new blockchain replaced the old Terra blockchain in the aftermath of the collapse of the TerraUSD stablecoin and the LUNA token, now LUNA Classic (LUNC). However, despite the emergence of a new blockchain, the old Terra blockchain continues to run. Mirror Protocol revealed that the pools for bitcoin, ether and Polkadot have been drained so far. 

Attack could Get Bigger 

According to prominent Terra community member FatMan, who was also at the forefront of opposing how the new Terra blockchain was launched, the attacker has stolen over $2 million so far. The pools that have not been drained are tied to stocks that are currently not available for trading until 4:00 AM ET. Once these become available, the attacker could use the exploit for the remaining pools and drain them. 

Crux Of The Problem 

The problem stems from the Mirror Protocol’s price oracle. This was revealed by the founder of Block Pane, Todd Garrison, who revealed that a significant majority of the validators running nodes on Terra Classic are running an outdated version of the price oracle. Thanks to this, the nodes are telling Mirror Protocol that each LUNC is worth 5 UST instead of its actual price, which is a fraction of a cent. 

He stated as much on Twitter, 

“Please look into fixing the LUNC price oracle, because in a short while, all liquidity pools will be drained, Mirror will accrue irremediable bad debt, and the system will collapse in on itself. This is not the time to be negligent.”

The attack has not affected a majority of the tokenized stocks, thanks to the weekend and Memorial Day in the US. FatMan is also the same user who had identified another bug in the Mirror Protocol. 

The $90 Million Exploit And How It Happened 

In October 2021, Mirror Protocol had suffered a $90 million exploit, which went undiscovered until last week, when Terra community member and analyst FatMan came across it. The exploit was corroborated by security firm BlockSec after it had analyzed the transaction related to the exploit. 

When someone bets against a stock on Mirror Protocol, they must lock collateral. However, Mirror’s lock contract failed to check when the same ID was used more than once to withdraw funds due to some buggy code. A malicious entity noticed this in October 2021, and they used a list of duplicate IDs to unlock significantly more collateral than they had. In total, the entity drained $90 million. 

Exploit Unnoticed For Months 

The exploit remained unnoticed for seven months, despite the presence of on-chain data, with Mirror failing to report the exploit. BlockSec gave a likely explanation for the exploit going unnoticed, saying that fewer users were scanning for issues on Terra compared to others such as Ethereum. 

Additionally, there was no way to check the amount of collateral without sifting through a significant amount of data, making spotting the vulnerability even more difficult. However, developers at Mirror patched the vulnerability around the same time the UST began unraveling. Once the vulnerability was fixed, the community began wondering if there was an exploit and if Mirror developers knew about it. 

Not The First Unreported Hack  

This is not the first time a hack has gone unnoticed. If you recall the Ronin sidechain hack of March 2022, hackers had stolen $600 million. The hack remained unnoticed for a week before users discovered it, only because they could not withdraw their funds thanks to the gaping shortfall created by the exploit. 

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

By

Leave a Reply

Your email address will not be published. Required fields are marked *