DeFi Protocol ‘Mirror’ Exploited for $2 Million Due to Buggy Code

Terra-based DeFi app Mirror Protocol has suffered an estimated US$2 million exploit related to the recent rebrand of the original Terra blockchain as Terra Classic

This is the second major exploit of Mirror Protocol to be revealed in the past week:

During the attack, the pools for mBTC, mETH, mDOT and mGLXY were virtually completely drained – and initially there were fears all asset pools could be drained, before developers belatedly patched the exploit.

What is Mirror Protocol?

Mirror Protocol is a DeFi app that allows for the creation of digital ‘mirrors’ of real-world assets, such as stocks and other cryptocurrencies, which closely track the price of the assets on which they’re based. 


Mirror is built on the Terra Classic blockchain, but its assets are also available on other chains such as Ethereum and Binance Smart Chain.

Attacker Exploited Confusion Caused by New Terra Chain

The attack was initially discovered by a user of the Mirror Protocol forum known as Mirroruser and was shared on Twitter by Terra analyst FatManTerra.

FatManTerra explained the exploit was possible because many Terra Classic validators were running outdated software and reporting the price of the new Terra (LUNA), which at the time was valued at about US$9.80, rather than the price of the original Terra Classic (LUNC), valued at around US$0.0001. This discrepancy allowed the attacker(s) to acquire US$1.3 million of collateral, such as mBTC, for every US$1000 in LUNC they spent:

There were initially fears that the exploit wouldn’t be fixed before US stock markets opened, allowing the attacker to drain stock-based asset pools such as mAAPL and mAMZN: 

Fix Put in Place Before Trading Begins

However, this was narrowly avoided as the developers were able to fix the incorrect pricing information just before US markets opened. The devs also disabled the usage of mBTC, mETH, mDOT and mGLXY, meaning the attackers couldn’t use their ill-gotten assets to drain any other pools.

This was the second major exploit of Mirror Protocol revealed this week. Just days ago, FatManTerra reported an attack that occurred on October 8, 2021 and went unnoticed for an astonishing seven months, resulting in the loss of more than US$88 million in assets.

The past month has been rough for DeFi, with the chaos surrounding the collapse of the Terra ecosystem causing large discrepancies across platforms in the price of Terra-based stablecoin UST, leading to significant losses for some DeFi apps such as Blizz Finance and Venus Protocol

DeFi exploits have also become increasingly commonplace of late; just weeks ago, Fortress Lending was taken for an estimated US$3 million.

Jody McDonald

Jody McDonald

Jody is a Brisbane-based freelance writer who specialises in writing about business, technology, and the future of work.

You may also like