Mirror Protocol suffers $2 million exploit after $90 million stolen in October
Jonathan Greig June 1, 2022

Mirror Protocol suffers $2 million exploit after $90 million stolen in October

Mirror Protocol suffers $2 million exploit after $90 million stolen in October

The Mirror Protocol – a decentralized finance platform on the Terra network – has had more than $2 million drained from it due to an issue affecting how its price-setting software reacted to the historic Luna cryptocurrency crash and the rushed decision to create a new version of it. 

After the coin collapsed earlier this month, the people behind it created a new version and released it this weekend. But Mirror Protocol’s pricing oracle set the price of Luna to that of the new version of the coin even as the price of the original coin plummeted far below 1 cent. This allowed attackers to take out more than $1 million in loans with just $1,000 in collateral. 

Similar attacks were launched against Venus Protocol and Blizz Finance, two DeFi platforms that had $11 million and $8.3 million stolen respectively. 

The incident was highlighted in Mirror’s forum on May 28 after several cryptocurrency pools were drained.

Mirror Protocol did not respond to requests for comment and has not released a statement about the issue, but on their forum, a user connected to the company initially denied that there was a hack.

The platform eventually disabled the attack method before more cryptocurrency could be drained.

Mirror Protocol was built on the Terra blockchain to allow users to create synthetic assets and trade them against tech stocks. The blockchain has been replaced with Terra 2.0 after the original version collapsed amid turmoil around the TerraUSD stablecoin and its sister token Luna.

A former employee of the Securities and Exchange Commission told The Block two weeks ago that officials are likely investigating the Mirror Protocol over its involvement with TerraUSD.

The attack on Mirror Protocol was the second discovered in recent days after a Twitter account named FatManTerra discovered that more than $90 million was stolen from the platform in October. 

The attacks were confirmed by blockchain security company BlockSec, which criticized the operators behind Mirror Protocol for silently addressing the issue that allowed for the theft without notifying users.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.