A $90 million DeFi exploit on Terra went unnoticed for seven months

In October 2021, DeFi application Mirror Protocol succumbed to a $90 million exploit on the old Terra blockchain — and it went completely unnoticed until last week.

Mirror protocol allowed users to take long or short positions on tech stocks using synthetic assets. It was built on Terra, which collapsed earlier this month after its main stablecoin lost its peg to the US dollar, dragging its sister token Luna down with it. (The blockchain has now been revived as Terra 2.0, while the original chain lives on as Terra Classic).

The exploit was discovered accidentally by a Terra community member known as “FatMan.” He has been one of the most vocal antagonists in the recent launch of the new Terra blockchain.

Security firm BlockSec corroborated the community member’s findings by analyzing the specific exploit transaction. BlockSec confirmed an exploit did indeed take place.

How did the exploit happen?

Whenever someone wanted to bet against a stock on Mirror, they had to lock collateral — including UST, LUNA Classic (LUNC), and mAssets — for a minimum of 14 days.

After the trade concluded, users could unlock the collateral to release the funds back to the wallet. All of this was done with the help of smart contract-generated ID numbers. 

However, due to buggy code, the Mirror’s lock contract allegedly failed to check when someone used the same ID more than once to withdraw funds. 

In October 2021, one unknown entity noticed that they could use a list of duplicate IDs to repeatedly unlock hundreds of times more collateral than they had. This basically meant the perpetrator could withdraw funds without any authorization.

This entity drained about $90 million in total, according to blockchain records

Going unnoticed for seven months

The Mirror exploit may be one of the rare events where, despite the presence of on-chain data, a major hack remained undisclosed for a long time. Usually, projects are quick to report security events for the sake of transparency.

BlockSec said the exploit likely went unnoticed because fewer people were scanning for issues on Terra compared to Ethereum and Ethereum-compatible chains.

In addition, there was no interface on the Mirror website that made it possible to check the total amount of collateral in the protocol. This made it much harder to notice the vulnerability without sifting through a large amount of blockchain data.

Earlier this month, Mirror developers quietly fixed the vulnerability, at around the same time as the UST stablecoin began to collapse. A week later after the patch, community members began wondering if there could have been an exploit, according to a governance discussion. It’s unclear if Mirror’s developers knew about the exploit.

This isn’t, however, the first time a hack has gone under the radar for a short time. When hackers stole $600 million from the Ronin sidechain in March 2022, a week went by before anyone realized it had happened. It was only when users found they were unable to withdraw their funds did anyone realize there was a shortfall.

Mirror Protocol, which is the subject of an SEC enquiry, has not yet made an official comment on the matter. The team at Mirror or Terraform Labs haven’t yet responded to a request for comment. 

For more breaking stories like this, make sure to follow The Block on Twitter.

© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.