Mirror Protocol, from Terra network, suffers new exploitation

The Mirror Protocol, a decentralized finance (DeFi) platform built on the Terra blockchain, has suffered another exploit.

According to user @FatManTerra, known for investigating the Terra ecosystem, the latest exploit reportedly drained over $2 million from the protocol.

He said he analyzed a series of transactions to arrive at that estimate. According to the analyst, exploration could continue and worsen with the opening of the market on Tuesday (31).

Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)

— FatMan (@FatManTerra) May 30, 2022

The Mirror Protocol allows users to take long and short positions in technology stocks using synthetic assets.

The protocol is running on the former Terra blockchain – now called Terra Classic. The “old” Terra has been replaced by a new network (“Terra 2.0”) following the collapse of stablecoin UST and cryptocurrency LUNA. But even though it has been replaced, the old blockchain is still in operation.

The Mirror Protocol has its own versions of other pooled cryptocurrencies. And it was precisely these pools that were drained, according to @FatManTerra.

Exploitation details

As the “blockchain detective” explained, the motive behind the exploit was a bug in the protocol oracle. An oracle is the way a protocol collects data, including from the physical world. In this case, oracles seek data regarding the price of shares and certain digital assets.

He explained that a bug in the protocol’s pricing oracle was telling the system that LUNC (formerly LUNA) is worth around $5. But in fact, the cryptocurrency’s price is currently at $0.0001174.

“For $1K in LUNC, an attacker can now allocate $1.3M in collateral. But it can withdraw real assets through borrowing,” he explained.

By the time FatManTerra made the Twitter post to its nearly 60,000 followers, the exploit had drained the mBTC, mETH, mDOT, and mGLXY pools.

The remaining pools – such as mSPY and mAAPL, mAMZN – were, at that time, unavailable for trading. After all, they are linked to actions. But with the reopening of the market they could be exploited.

According to Todd Garrison, founder of Block Pane – which runs validator nodes on blockchains – the problem with this case is that most validators running nodes on the Terra Classic chain are running an outdated version of the pricing oracle. Therefore, the reported price of LUNC was wrong.

Mirror Protocol avoided the worst

This morning @FatManTerra tweeted that the bigger problem had been avoided. This is because “at the last minute” the Mirror Protocol disabled the use of mBTC, mETH, mGLXY and mDOT as collateral.

“The attacker can no longer use his ill-gotten endowment to drain the rest of the pools.”, he wrote. “The oracle feed has been delayed – it didn’t kick in at premarket open like it was supposed to – I’ll post an update when I get more information. For now, Mirror has not been completely drained.” completed.