DeFi application, Mirror Protocol, has suffered another attack draining over $2 million. Cyber criminals depleted four synthetic asset pools from the protocol, with the potential to drain funds from all other pools in the coming days.
Troubles continue to escalate for Terra. Mirror Protocol, built on Terra, had been undergoing a second attack due to a bug in the LUNA CLASSIC (LUNC) pricing oracle. The capital pools of Bitcoin (BTC), Ethereum (ETH) and Polkadot (DOT) had been drained which resulted in a loss of over $ 2 million worth of assets. It is believed that if the bug is not fixed by tomorrow before the market opens, all of its token asset pools will be at risk.
Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)
— FatMan (@FatManTerra) May 30, 2022
How Did The Attack Happen?
So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.) – most of the pools can still be saved. (3/4)
— FatMan (@FatManTerra) May 30, 2022
The incident was first reported by pseudonymous governance participant ‘Mirroruser’, on the Terra Research Forum. The individual even shared the addresses and the short trades of the perpetrator. Mirroruser wrote,
“Happening now. Probably invalid uluna oracle price. mBTC, mETH, mDOT pools drained. All other polos will get drained as soon as new oracle prices show up.”
News of the attack was then quickly circulated by Twitter user, FatMan, who explained that the hack was possible due to an error in the configuration of price oracles. The Mirror’s lock contract allegedly failed to check when someone used the same ID more than once to withdraw funds.
FatMan, warned that the Mirror Protocol is on the verge of collapse as developers have done “nothing” to fix the issue. They also asked users to withdraw all their funds from the protocol. He tweeted,
“It looks like nothing will be done and the project will collapse tomorrow for sure (there are other vectors too), so get all your money out of Mirror right now.”
@stablekwon @mirror_protocol Please look into fixing the LUNC price oracle, because in a short while, all liquidity pools will be drained, Mirror will accrue irremediable bad debt, and the system will collapse in on itself. This is not the time to be negligent. (4/4)
— FatMan (@FatManTerra) May 30, 2022
Outdated Versions OF Price Oracles Caused The Heist
Todd Garrison, founder of validator node BlockPane, explained that most validators running nodes on the Terra Classic chain are running outdated versions of price oracles, and those nodes still give Mirror Protocol the LUNC price of 5UST. There is an urgent need to fix the LUNC price oracle, because in a short time, all liquidity pools will be exhausted.
Meanwhile, Chainlink (LINK) community ambassador ‘ChainLinkGod’ confirmed on a Twitter post that the issue has occurred due to Terra Classic validators “running an outdated version of the oracle software.”
Crisis averted – in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol – thank you! https://t.co/o64SVIRBmZ
— FatMan (@FatManTerra) May 31, 2022
However, it is reported that the Mirror Protocol, has managed to avoid the crisis by disabling the usage of certain mirrored assets as collateral. After much delay, it appeared that the pricing error fixed for LUNC, as the price verified by the oracle has returned to its real market value.
