Terra’s Mirror Protocol Survival Was in Question, Crisis Reportedly ‘Averted’ – UPDATED
Decentralized finance (DeFi) project Mirror Protocol has been reportedly suffering an ongoing exploit over the past couple of days that allowed bad actors to drain four synthetic asset pools from the protocol, with the potential to drain funds from all other pools in the coming days. Mirror, however, reportedly ‘averted the crisis’. (Updated at 10:30 UTC: Updates in bold.)
Mirror Protocol was not available for comment.
The exploit was possible due to an error on the pricing oracle software for Terra Classic (LUNC) validators. Pseudonymous governance participant ‘Mirroruser’ first reported the incident on May 29 with a post on the Terra Research Forum.
As of now, the mBTC, mDOT, mETH, and mGLXY synthetic asset pools on the protocol have all been drained, losing over USD 2m worth of assets. The attacker will be able to continue exploiting the protocol when the markets open today, according to pseudonymous Terra researcher FatMan.
“Mirror Protocol is being exploited again as we speak, and the devs are completely [missing in action, MIA],” FatMan said on Twitter. “So far, the attacker has drained over [USD] 2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle.”
The researcher detailed that due to an error in the pricing oracle, Luna Classic (LUNC) is priced around UST 5, while it’s actually worth less than a fraction of a cent. “For [USDg 1k in LUNC, an attacker can now load up on [USD] 1.3m in collateral but can pull out real assets by borrowing,” FatMan said.
The Mirror Protocol is a decentralized finance project that allows users to create and trade “mirrored assets,” or mAssets, which “mirror” the price of stocks, including major tech stocks like Apple and Microsoft.
FatMan warned that the Mirror Protocol is on the verge of collapse as developers have done “nothing” to fix the issue. They also asked users to withdraw all their funds from the protocol.
“It looks like nothing will be done and the project will collapse tomorrow for sure (there are other vectors too), so get all your money out of Mirror right now,” FatMan said, and warned:
“Tell anyone who has money in Mirror to withdraw and sell their assets. Pretty soon there will be nothing left.”
However, the Mirror Protocol, has reportedly managed to avoid the crisis by disabling the usage of certain mirrored assets as collateral.
“Crisis averted – in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral,” FatMan said on Twitter.
Crisis averted – in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol – thank you! https://t.co/o64SVIRBmZ— FatMan (@FatManTerra) May 31, 2022
Meanwhile, Chainlink (LINK) community ambassador ‘ChainLinkGod’ explained in a Twitter post that the issue has occurred due to Terra Classic validators “running an outdated version of the oracle software.”
This is because a majority of the #TerraClassic #LUNC validators are running an outdated version of the price oracle! You can see who is publishing bad prices here https://t.co/cKM9V1VbPh if they have a low missed-oracle vote count they need to update ASAP!!! https://t.co/h5GBrg3UGe— Todd G | block pane (@blockpane) May 30, 2022
Notably, the project had also fallen victim to an exploit back in October 2021 that was discovered just recently. At the time, the protocol lost over USD 30m due to a bug in the code that failed to check when someone used the same ID more than once to withdraw funds, FatMan said last week. Based on the transaction details, the amount lost may be up to USD 89.7m.
🧵👇 What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to the one of the most profitable exploits of all time, allowing an attacker to generate $4.3m from $10k in a single transaction? Here's how I discovered this – by pure serendipity. 🧵👇— FatMan (@FatManTerra) May 27, 2022
According to FatMan, the exploit was “one of the greatest yet most simple smart contract exploits in blockchain history” that went unnoticed for several months.
Blockchain security firm BlockSec also confirmed the exploit after analyzing the attack transaction on the Classic Chain.
– DeFi Lending Protocol Fortress Loses All Funds in Oracle Price Manipulation Attack
– Deus DAO Exploited Again, Loses Reported USD 13M+ in Flashloan Attack
– Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes
– AkuDreams NFT Team Announces Rewritten Code After Flaw in First Code Locked USD 34M
– Beanstalk Hacker Drains USD 182M from Project, But Nets Only USD 80M
– ApeCoin Smart Contract Exploited, ‘Well-Prepared Claimer’ Walks Away With USD 380K