More bad news for Terra as fresh allegations emerge about Mirror Protocol
@FatManTerra is back with fresh allegations about Terra’s synthetic assets protocol Mirror. Specifically, an exploit related to Mirror’s lock contract.
Since the Terra fiasco blew up earlier in May, @FatManTerra has been lifting the lid on the inner workings of the Terra ecosystem. The revelations paint a picture of suspicious goings-on.
The latest allegations further suggest that Terra users have been on the raw end of the deal for a lot longer than previously assumed.
Mirror Protocol under the spotlight
Details shared via social media on May 26 alleged that Mirror Protocol might not be as decentralized as it claims
@FatManTerra tweeted details of an investigation into Mirror’s whale wallets, which he suspects are actively trying to conceal their influence by spreading MIR tokens across burner wallets.
“I have found evidence that this wallet and related wallets try very hard to make it look like MIR governance is not majority-controlled by a single entity – they do so by splitting up MIR between several fresh anonymous wallets.”
One of these wallets is linked to Terraform Labs CEO Do Kwon via a Decentralized Autonomous Organization (DAO), on which he is an advisor.
Tying all of this together, @FatManTerra suggests this may point to senior figures within the Terra hierarchy manipulating governance and profiting as a result.
Fresh allegations
@FatManTerra also tweeted details of an exploit on the Mirror Protocol that was plugged roughly 18 days ago, which coincided with the time UST lost its peg.
🧵👇 What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to the one of the most profitable exploits of all time, allowing an attacker to generate $4.3m from $10k in a single transaction? Here’s how I discovered this – by pure serendipity. 🧵👇
— FatMan (@FatManTerra) May 27, 2022
The bug in question relates to the Mirror lock contract. Under normal circumstances, users lock their collateral, and after a 14-day holding period, they can use an unlock function to release the collateral.
Until the UST implosion, the code which governed the unlock function did not have a duplicate check. Meaning an attacker could repeatedly release funds after the 14-day lock-in period.
What’s more, @FatManTerra alleged that Mirror Protocol patched the bug without informing the Mirror community that it even existed.
So – this bug exists and was quietly patched up – but we don’t know if anyone ever noticed it or exploited it before. It would be hard to check since you would need to sift through months of chain data and millions of transactions – the Mirror forum didn’t bother. (5/12)
— FatMan (@FatManTerra) May 27, 2022
Further investigations show attackers have exploited the bug hundreds of times since October 2021.
Two coffees later, as I was about to give up, I found this. Hold on… What’s going on here? A single transaction from October 2021 unlocking one position over and over again – and it actually executed. Here’s the transaction: https://t.co/2pbiwqKWNT (9/12) pic.twitter.com/lklZHIYQqV
— FatMan (@FatManTerra) May 27, 2022
Suspicions were further set off when one of the wallets involved timed a UST dump just before the suspension of the Terra pegging mechanism.
A community investigator under the username PF92Â said at least 88 million UST was stolen through this vulnerability.
@FatManTerra signed off the tweetstorm by saying he doesn’t know who is responsible but will continue investigating.
And that’s how with a little bit of luck and a lot of research, I found out about one of the greatest yet most simple smart contract exploits in blockchain history that went under the radar for almost a year. Who did this? I have no idea, but I’ll try to find out. (12/12)
— FatMan (@FatManTerra) May 27, 2022