Last week, a member of Terra community accidentally discovered a defi vulnerability that had been neglected for seven months and was confirmed by blocksec security analysts In October, 2021, the defi application mirror protocol suffered a $90million attack loss on the old Terra blockchain, but the community did not realize its existence until last week. It is reported that mirror protocol allows users to use synthetic assets to long or short technology stocks.
Mirror protocol is built on the terra blockchain. However, after the terrausd (UST) stable coin lost its anchor with the US dollar, its sister token Luna was dragged down to almost nothing earlier this month.
After a few weeks of chaos, the community voted to eliminate the impact of hard forked Terra 2.0, and the original chain was renamed Terra classic.
The vulnerabilities mentioned in this article were exposed by "fatman", a member of Terra community and analyst. He is also one of the most outspoken opponents of the newly launched Terra 2.0 blockchain.
At the same time, blocksec, a security company, confirmed fatman's discovery by analyzing specific vulnerability exploitation transactions.
It can be seen that whenever someone wants to short on mirror, they must lock up the collateral including UST, Luna classic (lunc) and massets for at least 14 days.
After the transaction, the user can unlock the collateral and release the assets back to the wallet, and all relevant operations are completed with the help of the ID number generated by the smart contract.
However, due to the bug on the code, it is reported that mirror's locked contract fails to check when someone uses the same ID multiple times to withdraw funds.
So in October, 2021, an unknown entity discovered this vulnerability and used the duplicate ID list to repeatedly unlock hundreds of times of collateral - basically means that the perpetrator can withdraw funds without any authorization.
The subsequent blockchain records show that the entity has pried away about US $90million in total. However, what makes people feel speechless is that this loophole was not exposed until seven months later.
Generally, for the sake of transparency, the project manager will notify the public of security incidents as soon as possible - even though incidents like the mirror protocol vulnerability are quite rare.
Blocksec points out that compared with Eth and compatible blockchains, there are fewer people scanning Terra for related problems, so the vulnerability has not been known to the public for a long time.
In addition, there is no interface on the mirror website to view the total amount of collateral in the agreement, which makes it more difficult to find relevant vulnerabilities without filtering a large amount of blockchain data.
Earlier this month, about the same time that the UST stable currency began to collapse, mirror developers quietly fixed the vulnerability - a week after the patch was released, community members began to doubt whether there was a vulnerability.
Of course, this is not the first time that hackers have targeted the blockchain protocol of cryptocurrency. For example, in March, 2022, a week after hackers stole $600million from ronin's side chain, people who could not withdraw funds realized that something bad had happened.
Finally, mirror protocol, which was investigated by the US Securities and Exchange Commission (SEC), has not yet made an official comment on this matter.
The block sent a request for comment to the mirror / Terrain labs team, but as of press time, they had no comment.