Mirror Protocol is a synthetic protocol for on-chain price exposure to real-world assets with millions in total value locked, and it was recently hacked because of the price oracle bug that considered Luna Classic's price to be above 5 UST.
Because of an incorrect calculation, with only $1,000 worth of Luna, hackers can easily get $1.3 million in collateral, while its real value is significantly lower. Despite a low collateral price, traders can still easily borrow real funds and withdraw them without worrying about their cheap collateral.
Crisis averted - in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job @mirror_protocol - thank you! https://t.co/o64SVIRBmZ
— FatMan (@FatManTerra) May 31, 2022
In this case, the hacker drained mBTC, mETH and two other pools. After 12 hours from the first drainage, the hacker attacked other assets. Terra community members asked Do Kwon to fix the LUNA price oracle since it can cause the draining of all liquidity pools on Mirror and cause a system collapse.
The whole situation puts the whole idea of a decentralized market of synthetic assets at risk, as exploits like this will cause catastrophes in the future if platforms like Mirror grow to the level of an average U.S. brokerage.
Thanks to the operativeness of developers, Mirror was saved by closing mBTC, mETH, mGLXY and mDOT usage as collateral, which put a hard brake on the hacker's intention to drain remaining pools. If developers started the block 15 minutes later, hackers would get access to remaining pools, leading to the end of the platform.
If the fix was not rolled out in time, an attacker could have easily used the drained funds as collateral and then put away even more money, which would launch a death spiral of borrowing with collateral worth millions originating from only $1,000 in Classic Luna tokens.
Alex Dovbnya
Vladislav Sopov