$90 Million Hack of Terra’s Mirror Protocol Went Unnoticed for Seven Months

$90 Million Hack of Terra’s Mirror Protocol Went Unnoticed for Seven Months

The frequency of DeFi hacks has made them almost commonplace in the cryptoverse. However, what is certainly unusual is DeFi protocol exploits worth $90 million going unnoticed for seven months – and yet, that is the story of Mirror Protocol.

$90 Million Hack Goes Unnoticed for Seven Months

Mirror Protocol is a decentralized application on the Terra chain that allows for the creation of digital synthetics which track the price of real-world assets.

On May 17th, community members discovered a bug in the Mirror Protocol’s code that allowed a hacker to gradually siphon as much as $90 million, starting from October 8th, 2021. 

According to a user under the alias of “FatMan, the bug allowed the hacker to unlock other users’ collateral on Mirror Protocol, and withdraw it for themselves. 

The bug in Mirror’s code has been exploited “hundreds of times” since 2021, allowing the hacker to suck $89,706,164.03 out from the protocol. 

On-chain data indeed confirms that the hacker unlocked UST funds in the Mirror protocol multiple within the same transaction, paying only about $17.54 to do so.

Mirror Protocol Suffers Another Hack

Just days after the discovery, the DeFi protocol suffered a further attack on May 30th.

According to reports, the latest hack was caused by an error in the configuration of its price oracles, leading to the attacker taking advantage of a mismatched price between the old LUNC token, and the new LUNA token. 

The attack was made possible due to the fact that the Terra nodes were running on outdated oracle software. According to the Chainlink community member who spotted the attack, the hacker drained upwards of $2 million from the protocol.

On the Flipside

  • The bug was quietly fixed by Mirror Protocol developers on May 9th, without any official communication to the community that the code had been exploited. 

Why You Should Care

While this is certainly not the first DeFi exploit in history, it is by far the longest it has taken for one to be reported. The pressure continues to pile on for Terra.

Back to Top
Close Zoom
Don't push your luck