An exploit in Mirror Protocol has allowed an attacker to drain over $2 million so far. The protocol is powered by smart contracts on the Terra Classic network and allows the creation, trading, and borrowing of synthetic assets (mAssets) on-chain that mimic the price of real-world assets, such as stocks.
What caused the exploit?
After the fall of Terra Luna, the team behind it launched a new chain with the same name (LUNA), rebranding the old chain Terra Luna Classic (LUNC). However, the pricing oracle of Terra Classic, used by Mirror Protocol, had yet to catch on and was reporting the price of the new LUNA token when users provided collateral using LUNC.
The exploit? You can buy 1 LUNC for ~$0.00013 at the time of writing, but Mirror Protocol will believe the price is around $11, the price of the new LUNA token. A user can buy $1000 worth of LUNC and provide millions in collateral to borrow through the protocol and pull out real assets. As FatMan, a vocal Terra analyst, notes:
“So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.)”
Once the market feed for stocks opens at 4:00 AM ET, those pools can be drained too, unless the Mirror Protocol team steps in and fixes the pricing feed to fetch the price of the actual LUNC token.
A faulty oracle
Source: Todd G
As can be seen on the oracle dashboard below for Terra Classic, the price is being reported as over $9. Mirror Protocol has yet to comment on the issue, and as it seems, the faulty oracle will not be fixed in time for the opening of stock market feeds, which will cause a doomsday event for the protocol and see most of its liquidity evaporate.
How do we prevent this?
ChainLinkGod, a community ambassador for Chainlink, provided some insight two days ago that fits today’s exploit perfectly:
The poster stated that “there needs to be an administration role to track these changes and make modifications as needed.” Inherently, even the most advanced oracle networks today require regular maintenance and administration for unique cases, which is something the validators in charge of the Terra Classic oracle price, and even Mirror Protocol, have evidently failed to account for.
Similar past exploits
It seems that Anchor Protocol, the protocol on Terra Classic famous for its ~20% stablecoin APY, faced the same exploit over the weekend. A user was able to profit nearly a million due to the wrong oracle price after the launch of the new LUNA token. However, the Anchor team was quick to fix the bug in their own system after this one mishap, which could leave many wondering: why did the Anchor team not notify other DeFi apps on Terra Classic of this bug if they caught on early?
Perhaps they did and Mirror Protocol has yet to implement a fix. This article will be updated as the situation develops.
Update: It seems Mirror Protocol fixed the exploit 15 minutes before their remaining pools could be drained. However, they have yet to make an official announcement. As FatMan states here:
This content is for informational purposes only and is not investment advice. You should consult a qualified licensed advisor before engaging in any transaction.