Cybersecurity company BlockSec has confirmed that Mirror Protocol was compromised last year by a hacker who managed to steal about $90 million from the protocol.
In a complex and rapidly growing market like cryptocurrencies, many things can happen. One of them has been one of the rarest exploits recorded so far.
The decentralized protocol Mirror Protocol, built on the old Terra blockchain, now known as Terra Classic, was exploited for at least 8 months, since last October, without this generating an alert to the developers or the crypto community of users.
In a thread posted by cybersecurity company BlockSec, the company confirmed that a hacker had exploited a vulnerability in the Mirror Protocol code, related to funds escrow within the protocol.
This vulnerability, first reported by user @FatManTerra, allowed the attacker, unknown to date, extract nearly 90 million dollars from the protocol silently. BlockSec researchers published the address of the attack in question.
In addition to this million-dollar exploit, @FatManTerra also reported on a new vulnerability exploited in the Mirror Protocol a few hours ago, which was caused by a bug in the Luna Classic (LUNC) price oracle. In the exploit, the protocol lost another 2 million dollars, reported the user.
It may interest you: LUNA 2.0 collapses several hours after its launch
Mirror Lock contract error
In a thread on Twitter, @FatManTerra described how the unknown attacker was able to siphon tens of millions of dollars from Mirror Protocol undetected for several months.
Firstly, he noted that the vulnerability originated in the Mirror Lock contract, which locks the collateral asset deposited by a user in the protocol for a period of 14 days, when trading short.
However, the contract, which allows calling an unlock function to unlock the collateral through a position identification (ID) list, did not have a duplicate control or verification function. This allowed the attacker to create a short position and, after 14 days, call its position ID multiple times in a single list, extracting funds from the blocking contract “over and over again at low cost and without risk,” he explained. .
According to @FatManTerra, who claims that he and his team of cybersecurity researchers stumbled upon the exploit by pure chance, Mirror Protocol developers recently became aware of the existing vulnerability and patched it without informing the crypto community.
The analyst noted that the protocol was patched almost simultaneously with the crash suffered by TerraUSD (UST), now known as USTC, earlier this month.
A new hack to Mirror Protocol
Although the protocol developers have not confirmed any recent attacks, @FatManTerra claims that Mirror Protocol was violated again a few hours ago, losing another 2 million dollars.
The analyst pointed out that an error in the price oracle is telling the protocol that LUNC is worth around 5 UST, when the reality is that the value of this cryptocurrency is below $0,00012 (less than a microcent). .
The mBTC, mETH, mDOT and mGLXY pools on Mirror Protocol have been emptied, indicated @FatManTerra, while pointing out that the attack will worsen when the markets open, if the development team of this protocol does not intervene in time to correct the price oracle by LUNC.
The liquidity of this protocol has fallen considerably in the last month. According to data from the DeFi platform Llama, Mirror Protocol currently maintains just over $100.00 in liquidity.
Source: DeFi Llama
After surpassing $2.180 billion in liquidity on May 10, Mirror Protocol has lost more than 99% of its TVL at press time.
Continue reading: ESET warns of a scheme that imitates popular wallets to steal cryptocurrencies
