A $90m DeFi Hack Comes To Light After 7 Months
KEY POINTS
- This is the longest that a crypto exploit has taken to get discovered
- The exploit was discovered by a Terra community member and analyst
Security firm BlockSec confirmed that an exploit did indeed take place
DeFi application Mirror Protocol was hacked for almost $90 million on Terra Classic in October last year, Twitter handle @FatManTerra revealed just last week.
According to FatMan, the attacker stole $89,706,164.03 from the protocol owing to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”
A look at Terra Classic on-chain data reveals that the attacker was able to unlock UST funds multiple times from the protocol within the same transaction, paying only about $17.54 to do so.
š§µš What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to the one of the most profitable exploits of all time, allowing an attacker to generate $4.3m from $10k in a single transaction? Here's how I discovered this - by pure serendipity. š§µš
— FatMan (@FatManTerra) May 27, 2022
The exploit took place in a way that whenever someone wanted to bet against stock on Mirror, they had to lock collateral — including UST, LUNA Classic (LUNC), and mAssets — for a minimum of 14 days. After the conclusion of the trade, users could unlock the collateral to release the funds back to the wallet. This was done with the help of smart contract-generated ID numbers.
However, because of a buggy code, the Mirror’s lock contract allegedly failed to check when someone used the same ID more than once to withdraw funds.
Last October, one unknown entity noticed that they could use a list of duplicate IDs to repeatedly unlock hundreds of times more collateral than they had. This meant the perpetrator could withdraw funds without any authorization. This entity drained about $90 million in total, according to blockchain records.
Security firm BlockSec confirmed an exploit did take place.
Taking to Twitter on May 29, the firm said, "As pointed by @FatManTerra and many others, the tranaction is on the 'classic'(https://finder.terra.money/classic/tx/08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F…). Thanks for correcting this, and the attack is the new link."
As pointed by @FatManTerra and many others, the tranaction is on the 'classic'(https://t.co/9nmweKv1hC). Thanks for correcting this, and the attack is the new link. https://t.co/oehodgHVPw
— BlockSec (@BlockSecTeam) May 29, 2022
BlockSec said the exploit likely went unnoticed because not many people were scanning for issues on Terra compared to Ethereum and Ethereum-compatible chains.
This is not the first time a DeFi exploit took time to discover, though this is by far the longest it has taken. Earlier, it had taken six days for the Ronin team to realize they’d been exploited for $600 million.
© Copyright IBTimes 2024. All rights reserved.
-
More War Debris In Gaza Than Ukraine: UN
-
UK Confirms First Migrants Held For Rwanda Deportation Flights
-
Tesla To Cut Hundreds More Jobs In Musk Cost Push: Report
-
Microsoft Is Turning Into The 'Maestro' Of AI Transformation
-
US-Japan-Philippines Alliance: A Trio With Bitter Past Now Threatens China's Maritime Ambitions
-
Abu Dhabi-backed Group Ends Telegraph Takeover Bid
-
Canada's First New Oil Pipeline In Decades Starts Operating
-
New Post-Brexit Controls: A Thorn For UK Horticulture
-
Climate Change, Brexit Threaten To Wilt Dutch Tulips
-
Gaza Puppet Maker Turns Tins Into Toys In Ruins Of War
