Back to all stories
Reports
Incident Analysis
Mirror Protocol Exploited Due to Incorrect Oracle Price
5/31/2022
Mirror Protocol Exploited Due to Incorrect Oracle Price

Outdated software leads to mispricing of mAssets.

Mirror is a DeFi protocol powered by smart contracts on the Terra Classic chain that enables the creation of synthetic assets called Mirrored Assets (mAssets). mAssets mimic the price behavior of real-world assets and give traders anywhere in the world open access to price exposure without the burdens of owning or transacting real assets.

The minting of mAssets is decentralized and is undertaken by users throughout the network by opening a position and depositing collateral. Mirror ensures that there is always sufficient collateral within the protocol to cover mAssets, and also manages markets for mAssets by listing them on Terraswap.

The Mirror Protocol relies on pricing oracles to determine LUNA price, which now exists on the new Terra 2.0 chain. However, some validators did not update their software following Terra’s fork, meaning that LUNA was being priced at $10, rather than LUNC at $0.0001. Due to this, exploiters were able to borrow mAssets with extremely reduced collateral.

According to @FatManTerra on Twitter, $2m was drained from the Mirror Protocol, here’s how it happened.

Attack Technical Analysis

Exploit Transactions: Terra Finder Reference: Another exploit

Attack Flow

There are multiple txs where users deposited LUNC and borrowed other assets. Take one of them as an example: This transaction allowed an attacker to take a loan of 30 275 DOT (around 300 000$) with 100 000 LUNC collateral (10$) because Terra validators did not update the price oracle correctly.

mirror1

Contracts Vulnerability Analysis

After the collapse of Luna, the token was renamed to Luna Classic (LUNC), whilst a fork was also created (LUNA). LUNA on the Terra Mainet has a price of around $10 at the time of writing compared to LUNC on Terra Classic which is worth $0.0001.

Mirror protocol works on Terra Classic and uses oracle services provided by Terra Classic to determine the price of LUNA. However, some validators did not update their software following the fork, and reported the LUNA price instead of the LUNC price.

For example, in this transaction, this validator on Terra Classic reported a LUNC price of around $10, instead of $0,0001.

mirror2

If a user wants to take out a loan on Mirror protocol, they need to provide more collateral than the amount they want to borrow. E.g. 200% of the amount..

In order to take out a loan of $10,000, the user would need to provide $20,000 in collateral. This equates to 200,000,000 LUNC (@ $0,0001/LUNC) or 2,000 LUNA (@ 10$/LUNA)..

However, some validators are outdated and provide the LUNA price instead of LUNC. An attacker can now borrow $10,000 with 2,000 LUNC ($0.20) collateral.

Some validators such as Orion.money have fixed the issue. Yesterday they listed the LUNA price but have since updated to the LUNC price.

mirror3

mirror4

Would We Spot This in an Audit?

This issue would not be within the scope of a CertiK audit. The issue here laid with some Terra validators not performing an update related to the Terra fork. This was the sole reason for the mis-pricing of mAssets.