Last week, a Terra community member accidentally discovered a DeFi vulnerability that had been ignored for seven months, and it was confirmed by BlockSEC security analysts. In October 2021, DeFi application Mirror Protocol suffered a $90 million attack on the old Terra blockchain, but the community was not aware of its existence until last week. It is reported that Mirror Protocol allows users to use synthetic assets to go long or short on technology stock .
Mirror Protocol is built on the Terra blockchain, however its sister token Luna was dragged to almost worthless earlier this month after the TerraUSD (UST) stablecoin lost its peg to the US dollar. After
experienced a chaotic few weeks, the community voted to hard fork Terra 2.0 to eliminate the impact, and the original chain was renamed Terra Classic.
The vulnerability mentioned in this article was exposed by Terra community member and analyst "FatMan". He is also one of the most outspoken opponents of the newly launched Terra 2.0 blockchain.
Meanwhile security firm BlockSec confirmed FatMan's findings by analyzing specific exploit transactions.
It can be seen that whenever someone wants to short on Mirror, they must lock the collateral including UST, LUNA Classic (LUNC) and mAssets for at least 14 days. After the
transaction is completed, the user can unlock the collateral and release the assets back to the wallet, and all related operations are completed with the help of the ID number generated by the smart contract.
However, due to a bug in the code, it was reported that Mirror’s locking contract failed to check when someone used the same ID multiple times to withdraw funds.
So in October 2021, an unknown entity discovered this vulnerability and used it to use a list of duplicate IDs to repeatedly unlock hundreds of times the collateral - basically meaning that the perpetrators were able to unlock hundreds of times the collateral without any authorization. Withdraw funds. Subsequent blockchain records from
indicate that the entity made off with approximately $90 million in total. What makes people even more speechless is that this vulnerability was not exposed until seven months later.
Normally, for the sake of transparency, projects will report security incidents to the public as soon as possible - even if incidents like the Mirror Protocol vulnerability are quite rare.
BlockSec pointed out: Compared with ETH and compatible blockchains, fewer people are scanning for related issues on Terra, so the vulnerability has not been known to the public for a long time.
In addition, there is no interface on the Mirror website to view the total amount of collateral in the protocol, which makes it harder to find relevant vulnerabilities without sifting through large amounts of blockchain data.
Earlier this month, around the same time the UST stablecoin began to crash, Mirror developers quietly patched the flaw — a week after the patch was released, community members began to wonder if a vulnerability existed.
Of course, this is not the first time hackers have targeted cryptocurrency blockchain protocols. For example, in March 2022, a week after hackers stole $600 million from the Ronin sidechain, people who were unable to withdraw their funds realized something bad was going on.
Finally, Mirror Protocol, which is under investigation by the U.S. Securities and Exchange Commission (SEC), has yet to make an official comment on the matter.
The Block sent a request for comment to the Mirror / Terraform Labs team, but as of press time, they had not commented.
