Mirror Protocol suffers new exploit and could be drained in hours

Quick Take

  • Mirror Protocol has been exploited for more than $2 million, with several pools drained.
  • The attacker may be able to drain the rest of the pools when pre-market trading for stocks starts tomorrow morning.

Mirror Protocol, a DeFi app on the Terra blockchain, has suffered another exploit. So far, more than $2 million has been taken and if the bug isn't fixed by 4:00 AM ET tomorrow, all of its pools for tokenized assets will be at risk.

Mirror protocol allows users to take long or short positions on tech stocks using synthetic assets. It's running on the old Terra blockchain — now called Terra Classic — which was replaced by a new blockchain after the collapse of its main stablecoin TerraUSD (UST) and its sister token Luna, now called Luna Classic (LUNC). Despite being shelved, the old blockchain continues to run.

Mirror protocol also has its own versions of other cryptocurrencies, such as mBitcoin for bitcoin (which is supposed to be tied to bitcoin's price). It is primarily these pools that have been drained so far. According to the Mirror Protocol website, the pools for bitcoin, ether and polkadot have been drained. In addition, the pool for the token representing Galaxy Digital stock has been drained.

A Terra community member known as FatMan — who represented the voice of many who opposed the way the new Terra blockchain was launched — estimated that more than $2 million has been taken so far. He told The Block that he looked at a range of transactions and made this estimate, but has asked researchers to total up the full amount.

The remaining pools are all tied to stocks and aren't available for trading until pre-market trading opens at 4:00 AM ET. At that point, the exploit may be used for the remaining pools — unless the bug is fixed in time.

What caused the problem?

The issue appears to be related to the protocol's oracle. An oracle is the way a protocol collects data, including from the real world. In this case, the oracles fetch data relating to the price of stocks and certain cryptocurrencies.

According to Todd Garrison, founder of Block Pane — which runs validator nodes on various blockchains — the issue is that the majority of validators running nodes on the Terra Classic chain are running an outdated version of the price oracle. As a result, these nodes are telling the Mirror Protocol that LUNC is worth 5 TerraUSD (UST) ($0.10), instead of being just a fraction of a cent.

"Please look into fixing the LUNC price oracle, because in a short while, all liquidity pools will be drained, Mirror will accrue irremediable bad debt, and the system will collapse in on itself. This is not the time to be negligent," he said on Twitter, linking relevant Twitter accounts.

The attack has been ongoing over the last couple of days — but so far it hasn't affected the majority of tokenized stocks as the stock market was closed over the weekend and for Memorial Day in the US. It was first noticed on May 29 by a pseudonymous user known as "Mirroruser," who reported it on the Mirror forum. They provided several addresses related to the exploit.

FatMan also identified a previous bug involving Mirror Protocol last week, which was confirmed by security analysts BlockSec. He found that the protocol suffered a $90 million exploit toward the end of last year, one that went unnoticed for seven months.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.