Hacker Stole $90M From Mirror Protocol
A hacker exploited a vulnerability in Terra’s DeFi Mirror protocol and withdrew over $90 million.
To open a short position on a synthetic stock in the Mirror Protocol, you need to freeze the collateral (UST, LUNA Classic and mAssets) for at least 14 days. After the operation is completed, the tokens can be withdrawn back to the wallet.
The identifier generated by the smart contract was used to establish the owner of the assets. The hacker exploited a vulnerability in the protocol, due to which multiple withdrawals by the same user were not blocked by the protocol.
The attacker discovered the vulnerability in October 2021. Since then, he has been able to withdraw a total of $90 million. As a result, the amount received by the hacker exceeded hundreds of times the size of the security blocked by him.
BlockSec explained that since the Mirror site did not display data on the amount of collateral deposited by users, it was not possible to identify this exploit earlier. In addition, experts noted that the analysis of data in the Terra blockchain compared to Ethereum and EVM-compatible networks is less scrupulous.
Most of the validators in the Terra Classic network used an outdated version of the oracles that provided the system with LUNA Classic (LUNC) prices at 5 USTC (~$0.12) when the real price did not exceed $0.0001. As a result, the thief emptied several liquidity pools (mBTC, mETH, mDOT and mGLXY).
FatMan warned that a hacker could do the same to mAsset pools, leading to bad debt and protocol collapse. But, fortunately, access to them was suspended until the start of the pre-trading session for the shares to which they are linked.
The developers took the advice of an expert and disabled the use of mBTC, mETH, galaxy and mDOT as collateral, preventing a possible disaster.