A mismatch in the reported price of underlying assets on synthetic assets decentralized finance (DeFi) platform Mirror Protocol has caused an ongoing exploit that has the potential to drain all of its funds.
The exploit was observed on Sunday by governance participant Mirroruser on the protocol’s forum. As of the time of writing, the Mirror BTC (mBTC), Mirror Polkadot (mDOT), Mirror Ether (mETH) and Mirror Galaxy (mGLXY) synthetic asset pools on the protocol have lost almost all of their assets valued at over $2 million.
Mirror allows trading of synthetic assets such as stocks and cryptocurrency on the Terra and Terra Classic layer-1 blockchains, BNB Chain and Ethereum.
A pricing error for Luna Classic (LUNC) made the exploit possible. The remaining validators on Terra Classic reported that the price of LUNC at $0.000122 was the same as the newly launched Terra (LUNA) ($9.32), even though their real market prices vary wildly according to CoinGecko.
Chainlink community ambassador ChainLinkGod explained on Tuesday that the “Terra Classic validators were running an outdated version of the oracle software.”
.@mirror_protocol has just been exploited again due to Terra Classic validators reporting the price of the new Terra 2.0 $LUNA coin (~$9.80) instead of the original Terra Classic $LUNC coin (~$0.0001)— ChainLinkGod.eth (@ChainLinkGod) May 30, 2022
This is a massive operations failurehttps://t.co/hO0M0UFBYq https://t.co/ygbr3ij4iS pic.twitter.com/PO0huxX8oQ
Venus Protocol and Blizz Finance each suffered from a similar exploit in May when price oracle Chainlink’s reported LUNA price remained at $0.10, while the market price ran far below that. Blizz Finance was entirely drained while Venus lost $11.2 million.
Terra community whistleblower on Twitter, pseudonymous FatMan, warned that the Mirror exploit will affect the other “m” asset pools by about 8:00 am UTC on Tuesday. However, the account also claims that most of the pools can be saved if the developers intervene to fix the bug.
By 12:55 am UTC, it appeared that the pricing error had been fixed for LUNC, as the price being verified by the oracle has returned to its real market value.
This is the second time Mirror has suffered from a major vulnerability. The previous bug in Mirror’s code was exploited “hundreds of times” since 2021, according to FatMan in a Friday tweet. The first exploit allowed a user to unlock other users’ collateral on the protocol and pull it out themselves. In all, the first exploiter got away with “well over $30 million” and was not noticed until May 2022, he added.
On Saturday, the Terra ecosystem was relaunched when Terra 2.0 went online, as per founder Do Kwon’s plans. Terra 2.0 is a fork of the now-named Terra Classic blockchain. LUNA tokens are being airdropped to investors who held the previous version of LUNA and the TerraUSD (UST) stablecoin during the catastrophic collapse of the Terra ecosystem earlier this month.
Mirror Protocol (MIR) tokens are currently down 2% in the past 24 hours and are trading at $0.31, according to CoinGecko.