Problem child Terra continues to cause trouble even after his collapse. As early as October last year, the Mirror protocol was exploited for 90 million US dollars. The strange incident was only noticed a few days ago, shortly before another attack took place.
Mapping real-time stock prices, making them tradable as synthetic assets – also known as stock tokens – and thus bringing the stock market onto the blockchain: The core function of the Mirror protocol running on the Terra blockchain offers many advantages and apparently just as many weaknesses. A hitherto unknown attacker managed to trick the protocol around seven months ago and relieved it of around 90 million US dollars. The incident has only now been reported by anonymous Terra whistleblower FatMan revealed in a tweet series.
Vulnerability costs $90 million
Long and short positions – i.e. bets on rising or falling prices – can be taken on tech stocks via the Mirror protocol. To do this, users must deposit security, the collateral, and block it for two weeks. After the trade is completed, the funds can be unlocked again. So far so good.
Apparently, there was a bug in the code that allowed the same ID to be used more than once to withdraw funds. This allowed the attacker to unlock other users’ security and access it himself. All in all: over $90 million.
“The lock contract did not verify that the funds were sent from the mint contract, so the attacker opened a position with $10 in collateral and sent $10,000 directly to the lock contract. He could then unlock others’ collateral from the contract over and over again in a loop,” explains FatMan. In doing so, the attacker “turned $10,000 into $4,300,000” several times.
Because it was so nice: Mirror looted again
Same protocol, different error. Another attack on Mirror was observed on Sunday. The problem this time: Apparently, Mirror was using an outdated Oracle version. As a result, Mirror rated the LUNC token at around five US dollars, which is actually only worth fractions of a cent.
“For $1,000 in LUNC, an attacker can now load $1.3 million in collateral,” FatMan wrote. “Apparently the cause was that the Terra Classic validators were working with an outdated version of the Oracle software”, explained ChainLinkGod.eth on Twitter.
The bug looted the mBTC, mETH, mDOT, and mGLXY pools. Overall, the damage is said to amount to two million US dollars. The bug has now been fixed and the Oracle version has been updated.
Grow your cryptocurrencies with staking
eToro users can easily profit from their crypto holdings. With its own staking service, users can increase their crypto assets in a simple, safe and hassle-free way.