An inconsistency in the reported price of the underlying assets on the synthetic assets of the DeFi Mirror Protocol platform has caused an ongoing exploit that has the potential to drain all of its funds.
The exploit was observed on May 29 by governance participant “Mirroruser” on the protocol forum. At the time of writing, the mBTC, mDOT, mETH, and mGLXY synthetic asset pools on the protocol have lost nearly all of their assets valued at over $2 million.
Mirror enables trading of synthetic assets, such as stocks and cryptocurrency on the Terra and Terra Classic layer-1, BNB Chain (BNB) and Ethereum (ETH) blockchains.
A pricing error for Luna Classic (LUC) made the exploit possible. The remaining validators on Terra Classic reported the price of LUNC ($0.000122) to be the same as the newly launched LUNA ($9.32), although their actual market prices vary wildly according to CoinGecko.
Chainlink Community Ambassador ‘ChainLinkGod’ Explain on May 31 that the “Terra Classic validators were running an outdated version of the oracle software”.
.@mirror_protocol just mined again due to Terra Classic validators reporting the price of the new Terra 2.0 $LUNA piece (~$9.80) instead of the original Terra Classic $LUNC coin (~$0.0001)
This is a massive operations failurehttps://t.co/hO0M0UFBYq https://t.co/ygbr3ij4iS pic.twitter.com/PO0huxX8oQ
— ChainLinkGod.eth (@ChainLinkGod) May 30, 2022
Venus Protocol and Blizz Finance each suffered a similar exploit in May when LUNA price reported by price oracle Chainlink remained at $0.10 despite the market price being well below that. Blizz Finance was entirely gutted while Venus lost $11.2 million.
Terra Community whistleblower on Twitter, handle “FatMan”, warned that the Mirror exploit will affect other “m” asset pools around 8:00 UTC on May 31. However, the account also claims that most pools can be saved if the developers step in to fix the bug.
At 00:55 UTC, it appeared that the price error had been corrected for LUNC, as the price verified by the oracle had returned to its actual market value.
This is the second time Mirror has suffered a major vulnerability. Previous bug in Mirror’s code has been exploited “hundreds of times” since 2021 according to FatMan in a May 27 Tweeter. The first exploit allowed a user to unlock other users’ security on the protocol and remove it themselves. In total, the first exploiter got away with “well over $30 million” and was not noticed until May 2022, he added.
Related: Korean Watchdog Begins Crypto Risk Assessment As Terra 2.0 Passes Vote
On May 28, the Terra ecosystem was relaunched when Terra 2.0 went live as per founder Do Kwon’s plans. Terra 2.0 is a fork of the blockchain now called Terra Classic. LUNA tokens are airdropped to investors who held the previous version of LUNA and the stablecoin TerraUSD (UST) during the catastrophic collapse of the Terra ecosystem earlier this month.
Mirror Protocol (MIR) tokens are currently down 2% in the past 24 hours and are trading at $0.31 according to CoinGecko.
