Over $2 Million Drained From Terra’s Mirror Protocol in New Exploit


Another defi exploit has drained over $2 million in crypto from a protocol on Terra Classic, shortly after its historic collapse. Had developers not acted quickly to fix it, far more money could have been stolen.

  • The governance participant “Mirroruser” of the Terra Research Forum was the first to discover the exploit on Monday. He noted that pools related to bridged Bitcoin, Ethereum, and Polkadot had all been drained. “All other polos will get drained as soon as new oracle prices show up.”
  • According to the analyst FatMan on Twitter, an oracle bug was causing Mirror to read LUNC’s value as $5, rather than fractions of a cent.
  • The token – formerly LUNA – saw its value plummet due to hyperinflation this month. Whereas it once traded above $100, one token is now worth less than a satoshi.
  • According to a Chainlink Community member, the oracle mispricing was due to validators running outdated oracle software. The price of the new LUNA was being reported instead of the former, devalued LUNC.
  • Due to the mispricing, users could use LUNA as collateral to borrow far more money from the protocol than should be possible. “For $1k in LUNC, an attacker can now load up on $1.3m in collateral but can pull out real assets by borrowing,” explained FatMan that afternoon.
  • He also warned that once the market “kicked in” within 12 hours of the tweet, all other pools would be vulnerable.
  • Thankfully, developers managed to patch the bug just in time, rescuing the remaining pools of funds. Nevertheless, over $2 million in funds had been stolen due to what FatMan called “negligence of the highest order.”
Stay up to date with our latest articles