Problem child Terra continues to cause trouble even after his collapse. Already in October last year, a $ 90 million exploit occurred on the Mirror protocol. The curious incident was noticed only a few days ago, shortly before another attack occurred.
Mapping real–time prices of stocks, making them tradable as synthetic assets – also called stock tokens – and thus bringing the stock market to the blockchain: the core function of the mirror protocol running on the Terra blockchain offers many advantages, and apparently just as many vulnerabilities. A previously unknown attacker managed to trick the protocol about seven months ago and made it easier by about $ 90 million. The incident has only now been confirmed by the anonymous Terra whistleblower FatMan revealed in a series of tweets.
Vulnerability costs $ 90 million
The Mirror protocol can be used to enter into long and short positions – i.e. bets on rising or falling prices – on tech stocks. For this, users must deposit a collateral security and block it for two weeks. After the trade is completed, the funds can be unlocked again. So far, so good.
But apparently there was an error in the code, as a result of which the same ID could be used to withdraw funds more than once. This allowed the attacker to unlock the collateral of other users and access it himself. Summa summarum: over $90 million.
“The lock contract did not check whether the funds were sent from the Mint contract, so the attacker opened a position with $ 10 in collateral and sent $ 10,000 directly to the lock contract. He was then able to unlock the collateral of others again and again in a loop from the contract,” explains FatMan. Several times, the attacker ”turned $ 10,000 into $ 4,300,000″ as a result.
Because it was so nice: Mirror looted again
Same protocol, different error. On Sunday, another attack on Mirror was observed. The problem this time: Apparently Mirror was using an outdated Oracle version. As a result, Mirror valued the LUNC token at about five US dollars, which is actually worth only fractions of a cent.
”For $1,000 in LUNC, an attacker can now charge $1.3 million in collateral,” FatMan wrote. “Apparently, the reason was that the Terra Classic validators were working with an outdated version of the Oracle software”, explained ChainLinkGod.eth on Twitter.
Due to the error, the mBTC, mETH, mDOT and mGLXY pools were looted. In total, the damage is expected to amount to two million US dollars. In the meantime, the error has been fixed and the Oracle version has been updated.
Increase Your Cryptocurrencies with Staking
Users of eToro can easily benefit from their crypto holdings. With its own staking service, users can easily, securely and easily increase their holdings of crypto assets.