A $90m DeFi Hack Comes To Light After 7 Months
KEY POINTS
- This is the longest that a crypto exploit has taken to get discovered
- The exploit was discovered by a Terra community member and analyst
Security firm BlockSec confirmed that an exploit did indeed take place
DeFi application Mirror Protocol was hacked for almost $90 million on Terra Classic in October last year, Twitter handle @FatManTerra revealed just last week.
According to FatMan, the attacker stole $89,706,164.03 from the protocol owing to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”
A look at Terra Classic on-chain data reveals that the attacker was able to unlock UST funds multiple times from the protocol within the same transaction, paying only about $17.54 to do so.
The exploit took place in a way that whenever someone wanted to bet against stock on Mirror, they had to lock collateral — including UST, LUNA Classic (LUNC), and mAssets — for a minimum of 14 days. After the conclusion of the trade, users could unlock the collateral to release the funds back to the wallet. This was done with the help of smart contract-generated ID numbers.
However, because of a buggy code, the Mirror’s lock contract allegedly failed to check when someone used the same ID more than once to withdraw funds.
Last October, one unknown entity noticed that they could use a list of duplicate IDs to repeatedly unlock hundreds of times more collateral than they had. This meant the perpetrator could withdraw funds without any authorization. This entity drained about $90 million in total, according to blockchain records.
Security firm BlockSec confirmed an exploit did take place.
Taking to Twitter on May 29, the firm said, "As pointed by @FatManTerra and many others, the tranaction is on the 'classic'(https://finder.terra.money/classic/tx/08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F…). Thanks for correcting this, and the attack is the new link."
BlockSec said the exploit likely went unnoticed because not many people were scanning for issues on Terra compared to Ethereum and Ethereum-compatible chains.
This is not the first time a DeFi exploit took time to discover, though this is by far the longest it has taken. Earlier, it had taken six days for the Ronin team to realize they’d been exploited for $600 million.
© Copyright IBTimes 2024. All rights reserved.