A malicious user managed to take advantage of a flaw in the Mirror Protocol code last October to steal $90 million from the platform. Only, it was just discovered by an ordinary user, and the development team may have known about it.
Mirror (MIR) had $90 million stolen
It seems that even the largest sums can sometimes escape the attention of developers. Indeed, we have just learned that Mirror (MIR), a decentralised finance (DeFi) protocol built on the Terra Classic (LUNC) blockchain, had $90 million stolen in October 2021.
The Mirror protocol allows its users to short or long fungible assets based on their real value. In other words, it allows users to trade in stock equivalents such as Apple, Amazon, or Google via an oracle that monitors their real price.
The revelation comes from Twitter user “@FatManTerra”, known for his active participation in the Terra research forum, especially since the announcement of the blockchain fork. According to him, the malicious user managed to steal large sums of money from much smaller amounts.
What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to one of the most profitable exploits of all time, allowing an attacker to generate $4.3m from $10k in a single transaction? Here’s how I discovered this – by pure serendipity.
– FatMan (@FatManTerra) May 27, 2022
” What if I told you that Mirror Protocol, until 18 days ago, was susceptible to one of the most profitable exploits of all time, allowing an attacker to generate $4.3 million from $10,000 in a single transaction? Here’s how I found out – by pure serendipity. “
In broad terms, Mirror Protocol allows you to short on assets by depositing another asset as collateral for 2 weeks. It is thus necessary to lock UST, LUNA Classic (LUNC) or other cryptocurrencies in order to invest.
Once the transaction is completed, the user can retrieve their collateral via a smart contract system. However, due to a flaw, the attacker was able to repeat this withdrawal operation several hundred times, without ever depositing additional collateral.
The lock contract did not verify that funds were sent from the minting contract. So the attacker opened a position with $10 collateral and sent $10,000 directly to the lock contract. He could then loop other people’s collateral over and over again from the contract. “
The blockchain security company BlockSec corroborated FatMan’s claims via Twitter, indicating that the transactions were visible from Terra Classic’s block explorer, and at the same time confirming that the protocol was indeed exploited.
According to the on-chain data, our attacker stole a total of almost $90 million. This is quite a large sum of money, which has apparently only just been discovered.
However, Mirror Protocol users noted on 17 May that a patch had been applied precisely to avoid duplication of these orders, which had given rise to speculation that the protocol had concealed the attack.
Now that the facts have been established and confirmed, it remains to be seen whether the team behind Mirror was aware of this or not.