Terra’s Mirror Protocol Suffers Another Exploit

Terra's Mirror Protocol Suffers Another Exploit

DeFi application, Mirror Protocol, has suffered another attack draining over $2 million. Cyber criminals depleted four synthetic asset pools from the protocol, with the potential to drain funds from all other pools in the coming days.

Troubles continue to escalate for Terra. Mirror Protocol, built on Terra, had been undergoing a second attack due to a bug in the LUNA CLASSIC (LUNC) pricing oracle. The capital pools of Bitcoin (BTC), Ethereum (ETH) and Polkadot (DOT) had been drained which resulted in a loss of over $ 2 million worth of assets. It is believed that if the bug is not fixed by tomorrow before the market opens, all of its token asset pools will be at risk. 

How Did The Attack Happen?

The incident was first reported by pseudonymous governance participant ‘Mirroruser’, on the Terra Research Forum. The individual even shared the addresses and the short trades of the perpetrator. Mirroruser wrote,

“Happening now. Probably invalid uluna oracle price. mBTC, mETH, mDOT pools drained. All other polos will get drained as soon as new oracle prices show up.”

News of the attack was then quickly circulated by Twitter user, FatMan, who explained that the hack was possible due to an error in the configuration of price oracles. The Mirror’s lock contract allegedly failed to check when someone used the same ID more than once to withdraw funds.

FatMan, warned that the Mirror Protocol is on the verge of collapse as developers have done “nothing” to fix the issue. They also asked users to withdraw all their funds from the protocol. He tweeted,

“It looks like nothing will be done and the project will collapse tomorrow for sure (there are other vectors too), so get all your money out of Mirror right now.”

Outdated Versions OF Price Oracles Caused The Heist

Terra Mirror Protocol Suffers Another Exploit

Todd Garrison, founder of validator node BlockPane, explained that most validators running nodes on the Terra Classic chain are running outdated versions of price oracles, and those nodes still give Mirror Protocol the LUNC price of 5UST. There is an urgent need to fix the LUNC price oracle, because in a short time, all liquidity pools will be exhausted.

Meanwhile, Chainlink (LINK) community ambassador ‘ChainLinkGod’ confirmed on a Twitter post that the issue has occurred due to Terra Classic validators “running an outdated version of the oracle software.”

However, it is reported that the Mirror Protocol, has managed to avoid the crisis by disabling the usage of certain mirrored assets as collateral. After much delay, it appeared that the pricing error fixed for LUNC, as the price verified by the oracle has returned to its real market value.