By
Chimamanda U. Martha
April 19th, 2024
A Terra community member discovered a $90 million DeFi exploit on the Terra blockchain that was not known to the public for months.
Until last week, a costly Terra DeFi exploit went unnoticed for seven months. Mirror Protocol, built on the classic Terra blockchain, allowed users to take long or short positions on tech stocks using synthetic assets. However, the protocol’s working mechanism witnessed a $90 million hack. Only discovered last week by a Terra community member and analyst called “FatMan,” the Terra chain DeFi exploit has now been confirmed by security analysts BlockSec.
How the Terra DeFi Exploit Came About
In order to bet against a stock on Mirror, users had to lock collateral for no less than fourteen days. This collateral included the original native Terra digital currency LUNA (now LUNA Classic or LUNC). Other assets involved are mAssets and the now defunct stablecoin UST.
Upon conclusion of the trade, users were able to unlock the collateral to release the funds back into the wallet. In addition, this process was aided by the help of smart contract-generated ID numbers. However, the prevalence of a buggy code inhibited the lock contract of Mirror Protocol from checking whether a user had used the same ID before to withdraw funds.
Back in October 2021, an unknown entity realized that they could deploy a list of duplicate IDs to repeatedly unlock way more collateral than they had. This made it possible to withdraw funds arbitrarily without any authorization on the Terra chain via the breach. Exploiting the lapse in security, the entity drained $90 million from the Mirror Protocol, according to blockchain records.
The Discovery
On May 27th, “FatMan”, one of the most vocal antagonists of the recent launch of Terra 2.0, pointed out the Mirror exploit in a Twitter post which read:
“Two coffees later, as I was about to give up, I found this. Hold on… What’s going on here? A single transaction from October 2021 unlocking one position over and over again – and it actually executed. Here’s the transaction.”
FatMan’s tweet contained a link to the Terra Finder site which showed the protocol lapse. The user then followed the initial tweet with subsequent ones as part of thread. FatMan’s series of tweets shed light on how the unknown attacker milked the situation. According to one of the tweets:
“The lock contract didn’t check that the funds were sent from the mint contract, so the attacker opened a position with $10 in collateral (!) and [sent] $10k directly to the lock contract. They could then loop-unlock others’ collateral over and over again from the contract.”
BlockSec corroborated FatMan’s findings on Twitter. Just like FatMan’s original post, BlockSec included the supporting link which verifies the breach. Furthermore, BlockSec also suggested that the exploit went unnoticed for as long as it did because fewer people scanned for issues on Terra. Other networks like Ethereum and Ethereum-compatible chains get scanned for issues a lot more.