At DeFi under Terra, a protocol error led to $90 million for attackers

Terra (LUNA) is not getting out of the negative headlines. It has only now emerged that the DeFi protocol Mirror was programmed incorrectly there, which enabled attackers to loot 90 million US dollars.

Confidence in the growth division Decentralized Finances (DeFi) has once again been shaken by a serious programming error. This time it’s about the Mirror protocol, which under Terra (LUNA) enabled a kind of derivatives trading on tech stocks. However, a non-legal outflow of the equivalent of 90 million US dollars occurred at Mirror in October 2021, as analyst FatMan explains on Twitter. His research has since also been confirmed by crypto security firm BlocSec via Twitter. Mirror itself did not comment on the incident, nor did Terra Labs.

In order to build up positions at Mirror, collateral had to be deposited in LUNA or the linked stablecoin UST, for example. Such structures at DeFi are organized via smart contracts, of course. The contract for Mirror stipulated that deposited guarantees could only be transferred back to the user’s own wallet after positions had been liquidated. So far, so good – but here it came to the momentous mistake. Because for each withdrawal transaction at Mirror, an ID was also assigned by the smart contract. FatMan proves that these IDs could not be used only once at Mirror, as was thought, but could be used as often as desired. The attacker(s) were thus able to multiply their capital over a short period of time, as the blockchain data also proves.

Mirror had apparently fixed the bug in mid-May, but had not communicated this publicly. However, when Mirror went into action, the free fall of Terra and UST had already started. Therefore, according to the information available so far, the 90 million hack at Mirror cannot be directly linked to the Terra crash. BlocSec believes the bug could only have gone undetected for so long because analysts’ eyes were also previously less focused on Terra than on DeFi market leaders Ethereum (ETH) and Binance Smart Chain.

Bottom line: fatal examples of DeFi vulnerabilities.

In March, hackers had exploited a vulnerability in Axie Infinity’s (AXS) sidechain Ronin and captured $600 million. Here, the victims are to be compensated – but the loss of trust remains. Now with Mirror, those responsible have gone underground and compensation is unlikely. If you invest in DeFi, the recent examples should remind you that a small mistake in the technological organization in the protocols can lead to massive losses.

Be the first to comment

Leave a Reply

Your email address will not be published.