Outdated software leads to mispricing of mAssets.
Mirror is a DeFi protocol powered by smart contracts on the Terra Classic chain that enables the creation of synthetic assets called Mirrored Assets (mAssets). mAssets mimic the price behavior of real-world assets and give traders anywhere in the world open access to price exposure without the burdens of owning or transacting real assets.
The minting of mAssets is decentralized and is undertaken by users throughout the network by opening a position and depositing collateral. Mirror ensures that there is always sufficient collateral within the protocol to cover mAssets, and also manages markets for mAssets by listing them on Terraswap.
The Mirror Protocol relies on pricing oracles to determine LUNA price, which now exists on the new Terra 2.0 chain. However, some validators did not update their software following Terra’s fork, meaning that LUNA was being priced at $10, rather than LUNC at $0.0001. Due to this, exploiters were able to borrow mAssets with extremely reduced collateral.
According to @FatManTerra on Twitter, $2m was drained from the Mirror Protocol, here’s how it happened.
Exploit Transactions: Terra Finder Reference: Another exploit
There are multiple txs where users deposited LUNC and borrowed other assets. Take one of them as an example: This transaction allowed an attacker to take a loan of 30 275 DOT (around 300 000$) with 100 000 LUNC collateral (10$) because Terra validators did not update the price oracle correctly.
Contracts Vulnerability Analysis
After the collapse of Luna, the token was renamed to Luna Classic (LUNC), whilst a fork was also created (LUNA). LUNA on the Terra Mainet has a price of around $10 at the time of writing compared to LUNC on Terra Classic which is worth $0.0001.
Mirror protocol works on Terra Classic and uses oracle services provided by Terra Classic to determine the price of LUNA. However, some validators did not update their software following the fork, and reported the LUNA price instead of the LUNC price.
For example, in this transaction, this validator on Terra Classic reported a LUNC price of around $10, instead of $0,0001.
If a user wants to take out a loan on Mirror protocol, they need to provide more collateral than the amount they want to borrow. E.g. 200% of the amount..
In order to take out a loan of $10,000, the user would need to provide $20,000 in collateral. This equates to 200,000,000 LUNC (@ $0,0001/LUNC) or 2,000 LUNA (@ 10$/LUNA)..
However, some validators are outdated and provide the LUNA price instead of LUNC. An attacker can now borrow $10,000 with 2,000 LUNC ($0.20) collateral.
Some validators such as Orion.money have fixed the issue. Yesterday they listed the LUNA price but have since updated to the LUNC price.
This issue would not be within the scope of a CertiK audit. The issue here laid with some Terra validators not performing an update related to the Terra fork. This was the sole reason for the mis-pricing of mAssets.