Mirror Protocol, a decentralised finance (DeFi) app on the Terra blockchain, has suffered yet another exploit due to an error in the configuration of price oracles, just days after discovering that it had been exploited for almost $90 million (roughly Rs. 700 crore) seven months ago. The attacker has leveraged the fact that price oracles are mismatching the old Terra Classic (LUNC) token with the new LUNA token. This was confirmed by a Chainlink community member who said oracles are currently “reporting the price of the new Terra 2.0 $LUNA coin instead of the original Terra Classic $LUNC coin.”
Quickly circulated on Twitter by user and Terra Research Forum member FatMan (@FatManTerra), who discovered the previous Mirror exploit four days ago.
A bug in the pricing oracle is telling the system that LUNC is worth around 5 UST when it’s actually under a microcent. For $1k in LUNC, an attacker can now load up on $1.3m in collateral but can pull out real assets by borrowing. Example tx: https://t.co/QBxgAq8ovb (2/4)
— FatMan (@FatManTerra) May 30, 2022
@stablekwon @mirror_protocol Please look into fixing the LUNC price oracle, because in a short while, all liquidity pools will be drained, Mirror will accrue irremediable bad debt, and the system will collapse in on itself. This is not the time to be negligent. (4/4)
— FatMan (@FatManTerra) May 30, 2022
According to FatMan, the hack was possible due to an error in the configuration of price oracles. FatMan estimates the exploit has already cost Mirror Protocol around $2 million (roughly Rs. 15.5 crore) when first reported at 1:30 am IST. FatMan has since tweeted that Mirror Protocol has reacted and disabled mBTC, mETH, mGLXY, and mDOT as collateral and thus prevented the attacker from draining other liquidity pools completely. That said, we don’t yet have an official figure as to how much the attacker has been able to drain from Mirror Protocol’s pool combined.
Crisis averted – in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol – thank you! https://t.co/o64SVIRBmZ
— FatMan (@FatManTerra) May 31, 2022
For the uninitiated, Mirror Protocol is a decentralised application that allows for the creation of digital synthetics that track the price of real-world assets, such as stocks. Mirror’s core contracts were deployed on Terra Classic, but its assets are available on networks like Ethereum.
This is the second time Mirror Protocol has suffered from a major vulnerability. The previous bug in Mirror’s code was exploited “hundreds of times” since 2021 according to a tweet from FatMan.
Cryptocurrency is an unregulated digital currency, not a legal tender and subject to market risks. The information provided in the article is not intended to be and does not constitute financial advice, trading advice or any other advice or recommendation of any sort offered or endorsed by NDTV. NDTV shall not be responsible for any loss arising from any investment based on any perceived recommendation, forecast or any other information contained in the article.