An error in the pricing oracle software used by Terra Classic validators allowed an exploiter to drain four synthetic asset pools from the Mirror Protocol.
Mirror Protocol Suffers New Exploit
A disparity in the reported prices of underlying assets on the synthetic assets decentralized finance (DeFi) platform Mirror Protocol has resulted in an ongoing exploit that has the ability to deplete all of its funds.
On Sunday, governance participant Mirroruser observed the exploit on the protocol’s forum. At the time of writing, the Mirror BTC (mBTC), Mirror Polkadot (mDOT), Mirror Ether (mETH), and Mirror Galaxy (mGLXY) synthetic asset pools using the protocol have lost nearly all of their over $2 million worth of assets.
Mirror enables the trading of synthetic assets like as equities and cryptocurrencies on the Terra and Terra Classic layer-1 blockchains, as well as BNB Chain and Ethereum.
The exploit was possible because of a Luna Classic (LUNC) pricing error. Terra Classic’s remaining validators indicated that the price of LUNC at $0.000122 was the same as the newly launched Terra (LUNA) ($9.32), despite the fact that their real market prices varied greatly according to CoinGecko.
On Tuesday, Chainlink community ambassador ChainLinkGod explained that “Terra Classic validators were running an outdated version of Oracle software.”
Terra Community Whistleblower Warns Devs Regarding Exploit
Terra community whistleblower on Twitter, pseudonymous FatMan, warned that the Mirror exploit would affect the other “m” asset pools by about 8:00 am UTC on Tuesday. However, the account believes that the majority of the pools can be saved if the devs fix the bug.
It seems that the pricing error for LUNC has been corrected by 12:55 am UTC since the price confirmed by the oracle has been restored to its real market value.
This is the second time Mirror has had a severe security vulnerability exposed. FatMan, in a Friday tweet, claimed that the prior weakness in Mirror’s code had been exploited “hundreds of times” since 2021. The first exploit made it possible for a user to gain access to other users’ collateral on the protocol and pull it out themselves. He stated that the first exploiter escaped with “well over $30 million” and was not detected until May 2022.
As planned by founder Do Kwon, the Terra ecosystem relaunched on Saturday when Terra 2.0 went online. The Terra 2.0 blockchain is a fork of the Terra Classic blockchain. LUNA tokens are being airdropped to investors who retained the previous version of LUNA and the TerraUSD (UST) stablecoin during the tragic failure of the Terra ecosystem earlier this month.
Hackers Target DeFi
As more than 300 crypto companies have entered the market, the advent of DeFi has offered a new profitable avenue for cybercriminals. Despite its reputation as a secure technology, smaller exchanges may not have the appropriate cybersecurity staff to protect their nascent ecosystems.
In May, Venus Protocol and Blizz Finance both fell victim to a similar exploit when the price oracle Chainlink claimed the LUNA price to be $0.10 despite the market price being far lower. While Venus lost $11.2 million, Blizz Finance was completely depleted.
The gaming-focused platform Ronin Network suffered the largest hack in the DeFi space to date, losing over $625 million in USDC and ETH.