Advertising revenue keep this site going. We do not actively endorse ads served to us.
DYOR. Please use your due diligence while on this site.
We also do not get information from our visitors.
cryptocurrency May 30, 2022

Key Takeaways

  • Mirror Protocol suffered a $90 million exploit—seven months ago.
  • The attacker was allowed to unlock collateral from the protocol again and again while paying very little in fees.
  • The attack was only discovered in the last few days.

Share this article

Mirror Protocol suffered a $90 million exploit last October, but it went unnoticed for seven months. 

Seven Months

Mirror Protocol was hacked for almost $90 million on Terra Classic on Oct. 8, 2021, a Twitter user by the name of FatMan revealed for the first time on May 26, 2022, seven months after the attack.

According to FatMan, who says he discovered the hack by “pure serendipity,” the attacker stole $89,706,164.03 from the protocol thanks to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”

Advertisements

A look at Terra Classic on-chain data indeed reveals that the attacker was able to unlock UST funds multiple times from the protocol within the same transaction, paying only about $17.54 to do so. 

Mirror Protocol is a decentralized application that allows for the creation of digital synthetics which track the price of real-world assets, such as stocks. Mirror’s core contracts were deployed on Terra Classic, but its assets are available on Ethereum and Binance Smart Chain (BSC).

The bug, which was discovered by Mirror community members on May 17, had been quietly fixed by Mirror developers on May 9. The developer team had made no comment on whether the bug had already been noticed or exploited previously. 

The Mirror Protocol team has yet to make any statement about the exploit, which has prompted criticism from the community. FatMan, however, thinks there is no “compelling evidence” indicating the entity responsible for the hack was an insider.

It’s not the first time a DeFi exploit took time to discover, though this is by far the longest it has taken. It had previously taken six days for the Ronin team to realize they’d been exploited for $600 million.

Advertisements

Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.

Share this article