Mirror Protocol, a decentralized finance app on the old Terra blockchain, has reportedly suffered yet another exploit. The governance participant “Mirroruser” on Terra Research Forum was the one who discovered the bug on May 30.
Popular Terra analyst and whistleblower “FatMan” also confirmed the attack shortly thereafter and revealed that if the vulnerability remained untreated, it would put all of its pools for tokenized assets at risk. After hours of delay, the devs finally stepped up and averted the crisis.
It all started with a bug in the pricing oracle for Terra Classic validators that enabled the exploit. For the uninitiated, the Mirror Protocol essentially enables users to create and trade mirrored assets, also known as mAssets, that “mirror” or are closely tied to the price of stocks, as the name suggests.
The DeFi app has its native versions for Bitcoin – mBTC, Ethereum – mETH, Polkadot -mDOT, etc., which closely mirror the price moves of the underlying assets. In addition to these pools, buggy oracle enabled the attacker to drain the pool for the token representing Galaxy Digital stock – mGLXY – as well.
The “root cause,” as explained by Chainlink community ambassador “ChainLinkGod,” was that the validators of the old Terra blockchain (now called the Terra Classic) were running an outdated version of the oracle software that published erroneous pricing. The Terra Classic validators were reporting the price of the new LUNA instead of the old LUNC.
In the nick of time, the devs fixed the issue with the LUNC price feed. Mirror Protocol then disabled the usage of mBTC, mETH, mGLXY, and mDOT as collateral which incapacitated the attacker to no longer use the ill-gotten funds to drain the rest of the pools.
While a few in the community speculated if the entire event was an insider job, FatMan believes otherwise. His tweet regarding the same read,
“It really just looks like negligence of the highest order, but given what’s transpired this month, you can’t really put anything past them. I see no reason/evidence to believe this is an inside job at this stage. It’s basically a game of who has the fastest bot.”