Is Mirror Protocol undergoing exploit for the second time? Here’s the truth

Terra hit the bullseye lately, however, the bullseye for all the wrong reasons. Just when Terra thought that its day of difficulties has ended, there was more in store. But what went wrong this time?

Now, the Mirror Protocol allows the trading of synthetic assets, such as stocks and cryptocurrency on the Terra and Terra Classic layer-1 blockchains, BNB Chain (BNB), and Ethereum (ETH). But put that trading on an immediate halt now. Reportedly, at the time of writing, the Mirror protocol was undergoing an attack and might have lost as much as $2 million.

Consequently, MIR tokens went down 5% in the past 24 hours. Thus, trading at $0.30 during press time.

Error #101

Mirror protocol was drained of four synthetic asset pools due to a pricing error on Luna Classic (LUNC)- the older Terra blockchain. Governance participant ‘Mirroruser’ first flagged this exploit on the protocol’s forum. This got quickly circulated by Twitter user FatMan, who shared it in a series of tweets on 31 May.

So far, the mBTC, mETH, mDOT, and mGLXY pools on the protocol have lost almost all of their assets valued at over $2 million. But this situation could go further south ‘unless the dev team steps in and fixes the price oracle.’ A bug in the “price oracle” is the main reason behind this heist as explained in the tweets below.

Remember- Whenever someone wanted to bet against a stock on Mirror, they had to lock collateral — including UST, LUNA Classic (LUNC), and mAssets — for a minimum of 14 days. After the trade concluded, users could unlock the collateral to release the funds back to the wallet. This is done with the help of smart contract-generated ID numbers.

But not this time. The Mirror’s lock contract allegedly failed to check when someone used the same ID more than once to withdraw funds. Hence, the exploit.

Chainlink community ambassador ‘ChainLinkGodblamed or rather pointed at Terra’s ‘outdated version of the oracle software’. “Oracles are currently reporting the price of the new Terra 2.0 LUNA coin (~$9.80) instead of the original Terra Classic LUNC coin (~$0.0001).”

After much delay, it appeared that the pricing error fixed for LUNC, as the price verified by the oracle has returned to its real market value. Although, the respective team didn’t confirm the details yet.

Low-key mirroring 

Notably, the protocol has ‘mirrored’ a similar activity in the past. It suffered a $90 million hack which was only discovered seven months after the fact. The previous bug in Mirror’s code was exploited “hundreds of times” since 2021 according to FatMan.