Mirror Protocol app on the old Terra blockchain lost $92 million in hacks

What’s new? Mirror Protocol, a decentralized application (dApp), faced two major attacks that resulted in a loss of $92 million. The first attack, as reported by Terra Research Forum user FatMan, occurred in the fall of 2021 and the second in May this year.

Two coffees later, as I was about to give up, I found this. Hold on... What's going on here? A single transaction from October 2021 unlocking one position over and over again - and it actually executed. Here's the transaction: https://t.co/2pbiwqKWNT (9/12) pic.twitter.com/lklZHIYQqV— FatMan (@FatManTerra) May 27, 2022

What is known about the attacks? According to FatMan, in October an unknown attacker exploited the vulnerability and was able to withdraw from the protocol an amount of money that far exceeded the amount of its own collateral. The total damage amounted to $90 million. According to the analyst, this went unnoticed by Terraform Labs (TFL), developers, and the Mirror community.

On May 30, FatMan reported a new attack related to problems in the operation of the Mirror protocol oracles. According to the user, the damage has already amounted to $2 million and will continue to grow until the developers fix the bug.

Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting - the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)— FatMan (@FatManTerra) May 30, 2022

Mirror Protocol allows the creation of synthetic Mirror Assets (mAssets), which replicate the price behavior of real assets. This allows traders to get information on changes in exchange rates without having to own or transact real assets.

What events happened before? On May 31, FatMan said that TFL founder Do Kwon was working on a new algorithmic stablecoin on the Terra 2.0 blockchain.

On April 28, the DeFi protocol Deus Finance was hacked again. The hacker managed to withdraw $13,4 million. The exploit occurred on the Fantom network. According to the experts, this was made possible by manipulating the price oracle, which reads data from the USDC/DEI pair, with an instant loan. The manipulated price of the DEI collateral was used to borrow and deplete the pool.