The Mirror Protocol – a decentralized finance application powered by the Terra blockchain – reportedly suffered an attack that lasted over 7 months and drained approximately $90 million from its liquidity pool without anyone noticing. How could this happen?

The incident was first discovered by an independent analyst within the Terra community identified as “Mirroruser” who posted about the incident on 28 May on the protocol’s official forum.

Details about how the exploit managed to drain money from Mirror’s liquidity pools were further shared by another independent analyst identified as “FatMan” who shared both on the forum and his official Twitter account the intricacies of how the attack occurred.

According to FatMan, the Mirror Protocol identifies wallets with a unique ID. However, the protocol’s coding made the mistake of not incorporating a duplicate check and that allowed hackers to use existing IDs to withdraw money that was pledged as collateral by third parties who were unaware of what was going on.

The breach was corroborated by blockchain security firm BlockSec two days ago. The firm also stated that the bug was silently patched by Mirror’s developing team. The fact that the community was not informed of what happened at any given point remains a concerning issue as it is unclear if developers knew about the bug before it was brought up by these analysts.

How Does the Mirror Protocol Works?

The Mirror Protocol is a Terra-based DeFi application that allows users to create synthetic assets – also known as mAssets – within the blockchain that track the price of multiple financial instruments including stocks, ETFs, and cryptocurrencies.

The application uses a third-party app known as an oracle to pull stock prices from external sources and on-chain assets are valued accordingly.

Same as with traditional trading platforms, users can short these instruments via the Mirror Protocol. For this, they have to pledge collateral in UST, LUNC, or mAssets for 14 days at least. After the transaction is completed, users can withdraw their funds from the protocol.

The Mirror Protocol was powered by Terra’s original blockchain which means that the application’s feasibility was vulnerable as a result of the collapse of the project’s flagship stablecoin UST.

It is unclear, however, how the protocol’s collateral was impacted by this event as the front-end interface does not disclose the collateral ratio for all outstanding short positions on mAssets.

Confidence in Terra’s New Network and its dApps Keeps Cratering

luna 2 price chart
Luna 2 (LUNA/USD) price chart – Source: CoinMarketCap

The price of Luna Classic, the native token of Terra’s original network, is dropping 10% this morning while the value of the LUNA 2 token – as many have named the native token of the Terra 2.0 blockchain – is going down nearly 27% far in early crypto-trading action today as confidence on the project’s ability to recover continues to crater.

Thus far, the price of LUNA 2 has declined 63% from its post-fork high as investors who received the tokens via airdrop quickly dumped them to recover some of the losses they took on LUNC.

This recent development concerning the Mirror Protocol may be contributing to instilling more fear, uncertainty, and doubt among investors regarding the prospects of the Terra ecosystem as it is not the first time that flaws have been identified in the coding of some of its most popular decentralized apps.

Mirror’s developing team has not commented officially on these incidents. According to the protocol’s official Twitter account, the last post was published on 4 May.

The protocol’s governance module shows that the community has proposed that all mAssets are delisted to unlock users’ funds. None of these proposals have been passed. Moreover, a proposal involving a rescue plan for the protocol was also rejected due to insufficient quorum.

Your capital is at risk.