DeFi App Mirror Protocol Suffers Fresh Exploit Due to LUNA Classic Pricing Error

This is the second time Mirror Protocol has suffered from a major vulnerability.

By Shomik Sen Bhattacharjee | Updated: 1 June 2022 13:35 IST

DeFi App Mirror Protocol Suffers Fresh Exploit Due to LUNA Classic Pricing Error

Photo Credit: Medium/ Mirror Protocol

The exploit was spotted in liquidity pools mirroring Bitcoin, Ethereum, Polkadot and Galaxy Digital stock

Highlights

All of Mirror's pools weren't drained by the attacker
A pricing error for Luna Classic (LUNC) made the exploit possible
Mirror allows trading of synthetic assets such as stocks

Mirror Protocol, a decentralised finance (DeFi) app on the Terra blockchain, has suffered yet another exploit due to an error in the configuration of price oracles, just days after discovering that it had been exploited for almost $90 million (roughly Rs. 700 crore) seven months ago. The attacker has leveraged the fact that price oracles are mismatching the old Terra Classic (LUNC) token with the new LUNA token. This was confirmed by a Chainlink community member who said oracles are currently "reporting the price of the new Terra 2.0 $LUNA coin instead of the original Terra Classic $LUNC coin."

Quickly circulated on Twitter by user and Terra Research Forum member FatMan (@FatManTerra), who discovered the previous Mirror exploit four days ago.

A bug in the pricing oracle is telling the system that LUNC is worth around 5 UST when it's actually under a microcent. For $1k in LUNC, an attacker can now load up on $1.3m in collateral but can pull out real assets by borrowing. Example tx: https://t.co/QBxgAq8ovb (2/4)
— FatMan (@FatManTerra) May 30, 2022

@stablekwon @mirror_protocol Please look into fixing the LUNC price oracle, because in a short while, all liquidity pools will be drained, Mirror will accrue irremediable bad debt, and the system will collapse in on itself. This is not the time to be negligent. (4/4)
— FatMan (@FatManTerra) May 30, 2022

According to FatMan, the hack was possible due to an error in the configuration of price oracles. FatMan estimates the exploit has already cost Mirror Protocol around $2 million (roughly Rs. 15.5 crore) when first reported at 1:30 am IST. FatMan has since tweeted that Mirror Protocol has reacted and disabled mBTC, mETH, mGLXY, and mDOT as collateral and thus prevented the attacker from draining other liquidity pools completely. That said, we don't yet have an official figure as to how much the attacker has been able to drain from Mirror Protocol's pool combined.

Crisis averted - in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol - thank you! https://t.co/o64SVIRBmZ
— FatMan (@FatManTerra) May 31, 2022

For the uninitiated, Mirror Protocol is a decentralised application that allows for the creation of digital synthetics that track the price of real-world assets, such as stocks. Mirror's core contracts were deployed on Terra Classic, but its assets are available on networks like Ethereum.

This is the second time Mirror Protocol has suffered from a major vulnerability. The previous bug in Mirror's code was exploited "hundreds of times" since 2021 according to a tweet from FatMan.

Will crypto tax hurt the industry in India? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Cryptocurrency is an unregulated digital currency, not a legal tender and subject to market risks. The information provided in the article is not intended to be and does not constitute financial advice, trading advice or any other advice or recommendation of any sort offered or endorsed by NDTV. NDTV shall not be responsible for any loss arising from any investment based on any perceived recommendation, forecast or any other information contained in the article.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.