Image default

DeFi’s $90 million flaw on Terra went unnoticed for seven months

Mirror Protocol, a DeFi application built on the old Terra blockchain, was attacked by a $90 million flaw in October 2021, and it remained entirely undiscovered until last week. The attacker was able to unlock guarantees from the protocol several times by simply paying a small amount each time.


The Mirror protocol allowed users to take long or short positions in technological stocks using synthetic assets. It was based on Terra, which collapsed earlier this month after its main stable currency lost its peg to the US dollar, causing its twin Luna token to fall. (The blockchain was relaunched under the name Terra 2.0, while the original chain continues to live under the name Terra Classic).

When a person wanted to bet against an action on Mirror, he had to block the guarantees – including UST, LUNA Classic (LUNC) and mAssets – for a minimum of 14 days.

After the transaction was completed, users could unlock the guarantee to release the funds in the wallet. All this was done using identification numbers generated by smart contracts.

However, due to a buggy code, Mirror’s lock contract would not have checked if a person used the same login more than once to withdraw funds.

In October 2021, an unknown entity realized that it could deploy a list of duplicate IDs to repeatedly unlock many more guarantees than it had. It was thus possible to withdraw funds arbitrarily without any authorization on the Terra channel via the breach. Exploiting the security flaw, the entity drained $90 million from the Mirror Protocol, according to blockchain records.

The very late discovery of this fault

The flaw was discovered by a member of the Terra community and an analyst called “FatMan”. He has been one of the most vocal antagonists of the recent launch of the new Terra blockchain.

« Two coffees later, when I was about to give up, I found this. Wait… What’s going on here? A single transaction from October 2021 unlocking a position over and over again – and it was executed. Here is the transaction ” FatMan published in his explanatory thread.

source: Twitter FatMan

Statistics on the Terra Classic channel revealed that the attacker was able to release UST funds from the protocol several times during the same transaction for only $ 17.54 each time.

By studying the precise transaction of the exploit, the security company BlockSec confirmed the conclusions of the community member.

The Mirror flaw is perhaps one of the few events where, despite the presence of data on the channel, a major hack was not disclosed for a long time. Usually, projects are quick to report security events for the sake of transparency.

According to BlockSec, the flaw probably went unnoticed because fewer people were looking for the problems on Terra than on Ethereum and Ethereum-compatible channels.

In addition, there was no interface on the Mirror website to check the total amount of guarantees in the protocol. So it was much more difficult to notice the vulnerability without sifting through a large amount of blockchain data.

A new attack

On May 30, just a few days after this discovery, the DeFi protocol was targeted again.

According to reports, this new hack is due to a flaw in the setting of the company’s price oracles, which allowed the attacker to take advantage of a price disparity between the old LUNC tokens and the new LUNA tokens.

The Terra nodes were using outdated oracle software, which allowed the attack to occur. The hacker stole more than $2 million from the protocol, according to the Chainlink community member who discovered the attack.

It is particularly rare for such flaws to go unnoticed for so long, however this shows that it is dangerous to invest in altcoins and that is why in times of bear-market, it is always more prudent to invest in bitcoin. This is not an investment advice, but a reminder of the safety of bitcoin.

Receive a digest of the news in the world of cryptocurrencies by subscribing to our new daily and weekly newsletter service so you don’t miss anything essential Cointribune!

Alexis Skate avatar
Alexis Patin

Observer of the monetary, economic and social revolution.

Related posts

Bearnstalk Farms victim of a major attack

Ronald Chasteen

Quantum computers to attack the Bitcoin (BTC) network?

Ronald Chasteen

India’s NSDL Acquires DLT for Monitoring of securities and bonds

Ronald Chasteen