Terra-backed DeFi protocol Mirror has been the victim of an exploit worth over $90 million. It was discovered by an analyst at FatMan and verified by cybersecurity firm BlockSec.

As many followers have pointed out (thanks a lot), the attack process can be viewed in the ‘classic’ chain (https://t.co/9nmweKv1hC).

We made a statement here: https://t.co/Sqj5jet6Ij

— BlockSec (@BlockSecTeam) 29 May 2022

To short a synthetic stock on the Mirror Protocol, you must freeze the collateral (UST, LUNA Classic and mAssets) for at least 14 days. Tokens can be withdrawn to the wallet after the transaction is complete.

The identifier generated by the smart contract was used to identify the owner of the assets. Due to the vulnerability, the protocol was unable to prevent multiple withdrawals by the same user. In October 2021 it was discovered by an unidentified person causing a total of $90 million in damage – hundreds of times more than the amount of collateral he had blocked.

BlockSec explained that this is only now known, as the Mirror website does not show data on the amount of collateral deposited by users. Another factor was the lack of community attention to the analysis of data on the Terra blockchain compared to Ethereum. EVM-compatible networks.

In May, a few days after Terra’s crash, the Mirror Protocol developers patched the exploit. On the community forum, the team left unanswered if someone had exploited this vulnerability.

The other day, an unknown person withdrew another 2 million dollars from Mirror as a result of problems with displaying quotes from prophecies. This vulnerability was discovered by a member of the Mirroruser community and confirmed by FatMan.

Mirror Protocol is being abused again as we speak and the developers are completely MIA. The attacker has spent more than $2 million so far and continues to rise – unless the dev team steps in and corrects the price prophecy, the attack will only get worse when markets open tomorrow. @mirror_protocol (1/4)

— FatMan (@FatManTerra) 30 May 2022

Most of the validators on the Terra Classic network used an older version of oracle. Second, it provided the system with data on the cost of LUNA Classic (LUNC) at a rate of 5 USTC (~$0.12), while the actual price did not exceed $0.0001. As a result, the attacker drained several liquidity pools (mBTC, mETH, mDOT and mGLXY).

The analyst warned that a hacker could do the same to mAsset pools, leading to bad debt accumulation and protocol crashing. Access to them is suspended until the start of the pre-trading session for the shares to which they are linked.

The situation was “saved” with the May 30 celebration on the weekend and United States Memorial Day, when the stock market was closed.

The developers listened to the expert’s advice. They disabled the use of mBTC, METH, galaxy and mDOT as collateral, preventing a “disaster”. As a result, the attacker lost the ability to drain liquidity pools.

Crisis averted – just in time, Mirror disabled the use of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use their unfairly acquired donation to drain the rest of the pools. good job @mirror_protocol – Thank you! https://t.co/o64SVIRBmZ

— FatMan (@FatManTerra) May 31, 2022

Recall that FatMan suspected in May of Terraform Labs CEO Do Kwon and venture capitalists manipulating the Mirror Protocol.