$90 million DeFi hack discovered seven months after the theft
Mirror Protocol was exploited for almost $90 million seven months ago, and the attack was not discovered until a few days back
By Shashank Bhardwaj
Mirror Protocol suffered an exploit worth almost $90 million on the Terra Classic on 8th October 2021, a Twitter user by the profile name FatMan revealed on 26th May 2022. This is the longest period for which a crypto exploit has been left undiscovered.
The attacker stole a hefty amount of $89,706,164.03 from the protocol. The Twitter user FatMan revealed that he found the hack by “pure serendipity.” The exploit allowed the attacker to access the collateral stored in the lock contract again and again at “little cost and zero risk.”
The Mirror Protocol facilitates the creation of digital synthetics to track the price of real-world assets, such as stocks. It is a decentralised application whose core contracts were deployed on Terra Classic. However, its assets are available on Binance Smart Chain (BSC) and Ethereum.
An investigation of the on-chain data of Terra Classic revealed that the attacker unlocked UST funds several times from the protocol within the same transaction and paid only approximately $17.54 to do so.
The bug was discovered by the members of the Mirror community on 17th May and was quietly fixed by Mirror developers on 9th May. The developer team did not comment on whether the bug had been noticed or previously exploited.
FatMan believes that no convincing evidence indicates that the exploit was an insider’s job. However, the Protocol team has not made any statements regarding the exploit yet, which has led to an inflow of criticism from the community.
There have been exploits in many DeFi protocols previously, but this exploit has taken, by far, the longest time to be discovered. Previously, in one of the most recent and biggest Defi exploits, the Ronin team had taken six days to realise that the Ronin network had been exploited, and the amount was a whopping $600 million.
Shashank is the founder of yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bhardwajshash
Crypto wallet users are warned as scammers might get active during the potential Ethereum hard fork