The Mirror Protocol was hacked on 8 October 2021 for 90 million dollars (about 85 million euros) and in early May, more than seven months after the event, the million-dollar heist only came to light. Twitter user FatManTerra says he found out about the hack purely by chance.
Lake like a basket
The hackers managed to extract millions from the Mirror Protocol because of a mistake in the smart contract. This error makes it possible to get money out of the contract “again and again, without risk”. The contract functioned as a vault for digital collateral in the Mirror Protocol. This digital vault has now proved to be as leaky as a sieve for months, with all the consequences thereof.
https://twitter.com/FatManTerra/status/1529978941062139906?s=20&t=y1M06bPF1XFqwekMyB5hBA
Contracts on Terra protocol
The Mirror Protocol contracts in question ran on the Terra blockchain. A name that you have undoubtedly seen pass by in recent weeks because of the enormous drama that took place there. After Terra’s UST-stablecoin lost its link to the US dollar, the LUNA token also went down and billions in assets went up in digital smoke.
De assets van het Mirror Protocol waren overigens niet alleen beschikbaar via de Terra blockchain. They can also be traded on Ethereum and the Binance Smart Chain. A glance at the Terra blockchain shows that the attacker did indeed manage to withdraw secured UST funds from the protocol with the same transaction. All in all, he or she put down $17.54 (16.66 euros) to get all the funds out of the vaults.
What is the Mirror Protocol?
Apart from the fact that the smart contracts of Mirror Protocol were apparently not quite right, there are interesting things possible on the platform. Mirror Protocol is a decentralised application that makes it possible to create digital synthetic assets. That sounds very exciting, but a synthetic asset is nothing more than a token that represents the price of financial products from the “real world”. For example, it is possible to create shares in Tesla and Google using only cryptocurrencies as underlying assets.
The bugs discovered by the Mirror community have since been quietly resolved by the developers of the protocol. The team has not commented on the situation, which is understandably drawing criticism from the community. FatManTerra thinks there is no reason to suspect that the hacker was someone from the organisation itself.
Not the only one
Mirror Protocol is not the first party to discover that funds have disappeared only some time after a hack. In the past, it took the Ronin team six days to realise that they had lost 600 million dollars (570 million euros). But there is still a considerable difference between six days and seven months. In this respect, the DeFi world clearly still has some way to go. In a mature industry, after all, there is no place for this kind of madness. Certainly not if we want the whole world to use these kinds of protocols.