$90M DeFi Hack Discovered Seven Months After the Fact
Mirror Protocol suffered a $90 million exploit last October, but it went unnoticed for seven months.
- Mirror Protocol suffered a $90 million exploit—seven months ago.
- The attacker was allowed to unlock collateral from the protocol again and again while paying very little in fees.
- The attack was only discovered in the last few days.
Share this article
It is the longest it has ever taken for a crypto exploit to be discovered.
Mirror Protocol was hacked for almost $90 million on Terra Classic on Oct. 8, 2021, a Twitter user by the name of FatMan revealed for the first time on May 26, 2022, seven months after the attack.
According to FatMan, who says he discovered the hack by “pure serendipity,” the attacker stole $89,706,164.03 from the protocol thanks to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”
A look at Terra Classic on-chain data indeed reveals that the attacker was able to unlock UST funds multiple times from the protocol within the same transaction, paying only about $17.54 to do so.
Mirror Protocol is a decentralized application that allows for the creation of digital synthetics which track the price of real-world assets, such as stocks. Mirror’s core contracts were deployed on Terra Classic, but its assets are available on Ethereum and Binance Smart Chain (BSC).
The bug, which was discovered by Mirror community members on May 17, had been quietly fixed by Mirror developers on May 9. The developer team had made no comment on whether the bug had already been noticed or exploited previously.
The Mirror Protocol team has yet to make any statement about the exploit, which has prompted criticism from the community. FatMan, however, thinks there is no “compelling evidence” indicating the entity responsible for the hack was an insider.
It’s not the first time a DeFi exploit took time to discover, though this is by far the longest it has taken. It had previously taken six days for the Ronin team to realize they’d been exploited for $600 million.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.