Key Takeaways
- Mirror Protocol suffered a $90 million exploit—seven months ago.
- The attacker was allowed to unlock collateral from the protocol again and again while paying very little in fees.
- The attack was only discovered in the last few days.
Share this article
Mirror Protocol suffered a $90 million exploit last October, but it went unnoticed for seven months.
Seven Months
Mirror Protocol was hacked for almost $90 million on Terra Classic on Oct. 8, 2021, a Twitter user by the name of FatMan revealed for the first time on May 26, 2022, seven months after the attack.
According to FatMan, who says he discovered the hack by “pure serendipity,” the attacker stole $89,706,164.03 from the protocol thanks to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”
A look at Terra Classic on-chain data indeed reveals that the attacker was able to unlock UST funds multiple times from the protocol within the same transaction, paying only about $17.54 to do so.
Mirror Protocol is a decentralized application that allows for the creation of digital synthetics which track the price of real-world assets, such as stocks. Mirror’s core contracts were deployed on Terra Classic, but its assets are available on Ethereum and Binance Smart Chain (BSC).
The bug, which was discovered by Mirror community members on May 17, had been quietly fixed by Mirror developers on May 9. The developer team had made no comment on whether the bug had already been noticed or exploited previously.
The Mirror Protocol team has yet to make any statement about the exploit, which has prompted criticism from the community. FatMan, however, thinks there is no “compelling evidence” indicating the entity responsible for the hack was an insider.
It’s not the first time a DeFi exploit took time to discover, though this is by far the longest it has taken. It had previously taken six days for the Ronin team to realize they’d been exploited for $600 million.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.
Share this article
Axie Infinity Network Hit by $551.8M Exploit
The Ronin bridge and Katana exchange have been halted following the incident. Axie Infinity Network Suffers Vulnerability Ronin Network, the blockchain underpinning the popular play-to-earn game Axie Infinity, has been…
North Korean Cybercrime Syndicate Lazarus Group Implicated in Ronin Ha…
The North Korean cybercrime group known as Lazarus Group has been confirmed by the U.S. Treasury Department to be linked to the $550 million Ronin Chain hack last month. The…
Treasury Sanctions Additional North Korean Wallets Tied to Ronin Hack
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned several North Korean Ethereum wallets tied to a hack of the Ronin blockchain that took place last month. Treasury…