DeFi Protocol ‘Mirror’ Exploited for $2 Million Due to Buggy Code

Terra-based DeFi app Mirror Protocol has suffered an estimated US$2 million exploit related to the recent rebrand of the original Terra blockchain as Terra Classic. 

This is the second major exploit of Mirror Protocol to be revealed in the past week:

Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)

— FatMan (@FatManTerra) May 30, 2022

During the attack, the pools for mBTC, mETH, mDOT and mGLXY were virtually completely drained – and initially there were fears all asset pools could be drained, before developers belatedly patched the exploit.

What is Mirror Protocol?

Mirror Protocol is a DeFi app that allows for the creation of digital ‘mirrors’ of real-world assets, such as stocks and other cryptocurrencies, which closely track the price of the assets on which they’re based. 

Mirror is built on the Terra Classic blockchain, but its assets are also available on other chains such as Ethereum and Binance Smart Chain.

Attacker Exploited Confusion Caused by New Terra Chain

The attack was initially discovered by a user of the Mirror Protocol forum known as Mirroruser and was shared on Twitter by Terra analyst FatManTerra.

FatManTerra explained the exploit was possible because many Terra Classic validators were running outdated software and reporting the price of the new Terra (LUNA), which at the time was valued at about US$9.80, rather than the price of the original Terra Classic (LUNC), valued at around US$0.0001. This discrepancy allowed the attacker(s) to acquire US$1.3 million of collateral, such as mBTC, for every US$1000 in LUNC they spent:

A bug in the pricing oracle is telling the system that LUNC is worth around 5 UST when it’s actually under a microcent. For $1k in LUNC, an attacker can now load up on $1.3m in collateral but can pull out real assets by borrowing. Example tx: https://t.co/QBxgAq8ovb (2/4)

— FatMan (@FatManTerra) May 30, 2022

There were initially fears that the exploit wouldn’t be fixed before US stock markets opened, allowing the attacker to drain stock-based asset pools such as mAAPL and mAMZN: 

So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.) – most of the pools can still be saved. (3/4)

— FatMan (@FatManTerra) May 30, 2022

Fix Put in Place Before Trading Begins

However, this was narrowly avoided as the developers were able to fix the incorrect pricing information just before US markets opened. The devs also disabled the usage of mBTC, mETH, mDOT and mGLXY, meaning the attackers couldn’t use their ill-gotten assets to drain any other pools.

This was the second major exploit of Mirror Protocol revealed this week. Just days ago, FatManTerra reported an attack that occurred on October 8, 2021 and went unnoticed for an astonishing seven months, resulting in the loss of more than US$88 million in assets.

The past month has been rough for DeFi, with the chaos surrounding the collapse of the Terra ecosystem causing large discrepancies across platforms in the price of Terra-based stablecoin UST, leading to significant losses for some DeFi apps such as Blizz Finance and Venus Protocol. 

DeFi exploits have also become increasingly commonplace of late; just weeks ago, Fortress Lending was taken for an estimated US$3 million.