$90 million DeFi hack remained unnoticed for seven months

$90 million DeFi hack remained unnoticed for seven months

By Sanne Moonemans - min read

The Mirror Protocol was hacked on October 8, 2021 for 90 million dollars (about 71 million pounds) and at the beginning of May, more than seven months later, the multimillion-dollar robbery only came to light. Twitterer FatManTerra indicates that he discovered the hack purely by accident.

Leaky as a sieve

The hackers managed to pull millions from the Mirror Protocol because of a flaw in the smart contract. That mistake makes it possible to take money out of the contract “again and again, risk-free”. The contract acted as a vault for digital collateral in the Mirror Protocol. That digital safe has now been shown to be as leaky as a basket for months, with all the consequences that entails.

Contracts on Terra protocol

The Mirror Protocol contracts in question ran on the Terra blockchain. A name that you have undoubtedly seen in recent weeks because of the enormous drama that took place there. After Terra’s UST stablecoin lost its peg to the US dollar, the LUNA token also went under, with billions of dollars worth of assets going up in digital smoke.

Incidentally, the assets of the Mirror Protocol were not only available via the Terra blockchain. You can also trade these via Ethereum and the Binance Smart Chain. A look at the Terra blockchain tells us that the attacker did indeed manage to pull pinned UST funds from the protocol using the same transaction. All in all, he or she deposited $17.54 (16.66 euros) to remove all funds from the vaults.

What is the Mirror Protocol?

Apart from the fact that the smart contracts of the Mirror Protocol were apparently not completely in order, interesting things are possible on the platform. The Mirror Protocol is a decentralized application that makes it possible to create digital synthetic assets. That sounds very exciting, but a synthetic asset is nothing more than a token that represents the price of “real world” financial products. For example, it is possible to make shares of Tesla and Google with pure and only cryptocurrencies as underlying assets.

The Mirror community found a number of bugs, which have since their discovery been fixed quietly by the protocol developers. The team has not commented on the situation and has understandably come under criticism from the community. FatManTerra thinks there is no reason to suspect that the hacker was someone from the organization itself.

Not the only one

The Mirror Protocol is not the first party to discover that funds have disappeared some time after a hack. In the past, Ronin’s team took six days to realize that they had gone into the boat for $600 million. But that does not alter the fact that there is still a considerable difference between 6 days and 7 months. In that regard, the DeFi world clearly still has steps to take. After all, such nonsense does not belong in a mature industry. Certainly not if we want the whole world to use these kinds of protocols.