Members of the failed Terra project’s community identified an exploit that threatened liquidity pools and forced the developers to disable the ability to use mBTC, mETH, mGLXY and mDOT as collateral.
Two days after the launch of the upgraded Terra 2.0, a user nicknamed Mirroruser alerted the community to an exploit it had discovered, potentially threatening to restart the entire project. According to his observations, a targeted attack is being conducted against Terra’s Mirror protocol and an attacker has already stolen assets worth around $2 million.
“This is happening right now. Probably due to the irrelevant oracle price of uluna, the mBTC, mETH and mDOT pools have been drained. All other pools will be depleted as soon as new oracle prices become available,” Mirroruser wrote.
Mirroruser attached a list of addresses and transactions to his message.
On May 30, complementing Mirroruser’s post, regular Terra community member FatMan said in a tweet that the Mirror Protocol problem was identified seven months ago, in October 2021, but neither Mirror Protocol nor Terraform Labs responded. FatMan explained to the project participants the potential dangers of the events taking place. His understanding of the problem is that Terra’s current pricing oracle still contains an error that tells the system that “LUNC is worth about 5 UST, even though it is actually cheaper than a micro cent”. Consequently, “for $1,000 in LUNC, an attacker could get a $1.3 million deposit and steal real assets, for example by taking out a loan”.
FatMan warned that once full market trading of Terra assets opens up, the situation will get much worse, and an attacker or group of attackers will try to drain all the assets in the pools.
“At the moment the mBTC, mETH, mDOT and mGLXY pools are depleted. In about 12 hours the market tape will turn on and the attacker will be able to empty all mAsset pools (such as mSPY and mAAPL, mAMZN etc.),” FatMan wrote on Twitter.
Mirroruser and FatMan’s concerns were shared by another community member, a security specialist nicknamed Todd G. He wrote that “most #TerraClassic #LUNC validators use an outdated version of the price oracle, publish irrelevant prices and need to update as soon as possible”.
The Mirror Protocol and Terraform Labs teams have not officially responded in any way to the warnings. However, as FatMan has learned, a crisis was averted at the very last moment: on 31 May Mirror disabled the use of mBTC, mETH, mGLXY and mDOT as collateral.
It is unknown how much might have been stolen as a result of the attack, but the new blow to Terra’s reputation could have been the last straw, destroying the very idea of the Terra 2.0 project.
On May 30, it was reported that South Korean prosecutors would bring in all executives and employees of cryptocurrency platform Terraform Labs who were behind the Terra project to testify.