Mirror Protocol suffers $2 million exploit after $90 million stolen in October

The Mirror Protocol – a decentralized finance platform on the Terra network – has had more than $2 million drained from it due to an issue affecting how its price-setting software reacted to the historic Luna cryptocurrency crash and the rushed decision to create a new version of it. 

After the coin collapsed earlier this month, the people behind it created a new version and released it this weekend. But Mirror Protocol's pricing oracle set the price of Luna to that of the new version of the coin even as the price of the original coin plummeted far below 1 cent. This allowed attackers to take out more than $1 million in loans with just $1,000 in collateral. 

Similar attacks were launched against Venus Protocol and Blizz Finance, two DeFi platforms that had $11 million and $8.3 million stolen respectively. 

.@mirror_protocol has just been exploited again due to Terra Classic validators reporting the price of the new Terra 2.0 $LUNA coin (~$9.80) instead of the original Terra Classic $LUNC coin (~$0.0001)

This is a massive operations failurehttps://t.co/hO0M0UFBYq https://t.co/ygbr3ij4iS pic.twitter.com/PO0huxX8oQ

— ChainLinkGod.eth (@ChainLinkGod) May 30, 2022

The incident was highlighted in Mirror's forum on May 28 after several cryptocurrency pools were drained.

Mirror Protocol did not respond to requests for comment and has not released a statement about the issue, but on their forum, a user connected to the company initially denied that there was a hack.

So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.) - most of the pools can still be saved. (3/4)

— FatMan (@FatManTerra) May 30, 2022

Crisis averted - in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol - thank you! https://t.co/o64SVIRBmZ

— FatMan (@FatManTerra) May 31, 2022

The platform eventually disabled the attack method before more cryptocurrency could be drained.

Mirror Protocol was built on the Terra blockchain to allow users to create synthetic assets and trade them against tech stocks. The blockchain has been replaced with Terra 2.0 after the original version collapsed amid turmoil around the TerraUSD stablecoin and its sister token Luna.

A former employee of the Securities and Exchange Commission told The Block two weeks ago that officials are likely investigating the Mirror Protocol over its involvement with TerraUSD.

The attack on Mirror Protocol was the second discovered in recent days after a Twitter account named FatManTerra discovered that more than $90 million was stolen from the platform in October. 

The attacks were confirmed by blockchain security company BlockSec, which criticized the operators behind Mirror Protocol for silently addressing the issue that allowed for the theft without notifying users.

4/ This raises the question: how many vulnerabilities have been exploited in the wild (and silently patched)? Project zero has a good resource(https://t.co/YvNE1hfIMA…) for o-day-in-the-whild. However, such research does not exist in the DeFi world yet.

— BlockSec (@BlockSecTeam) May 29, 2022