Nexo

We’re Giving out 10 BTC in Rewards until the Bitcoin Halving

Learn More
Home » News » $90M DeFi Hack Discovered Seven Months After the Fact

$90M DeFi Hack Discovered Seven Months After the Fact

by

Mirror Protocol suffered a $90 million exploit last October, but it went unnoticed for seven months. 

$90M DeFi Hack Discovered Seven Months After the Fact
Shutterstock cover by REDPIXEL.PL

Key Takeaways

  • Mirror Protocol suffered a $90 million exploit—seven months ago.
  • The attacker was allowed to unlock collateral from the protocol again and again while paying very little in fees.
  • The attack was only discovered in the last few days.

Share this article

It is the longest it has ever taken for a crypto exploit to be discovered.

Seven Months

Mirror Protocol was hacked for almost $90 million on Terra Classic on Oct. 8, 2021, a Twitter user by the name of FatMan revealed for the first time on May 26, 2022, seven months after the attack.

According to FatMan, who says he discovered the hack by “pure serendipity,” the attacker stole $89,706,164.03 from the protocol thanks to an exploit that allowed them to unlock collateral from the lock contract “over and over at little cost and zero risk.”

A look at Terra Classic on-chain data indeed reveals that the attacker was able to unlock UST funds multiple times from the protocol within the same transaction, paying only about $17.54 to do so. 

Mirror Protocol is a decentralized application that allows for the creation of digital synthetics which track the price of real-world assets, such as stocks. Mirror’s core contracts were deployed on Terra Classic, but its assets are available on Ethereum and Binance Smart Chain (BSC).

The bug, which was discovered by Mirror community members on May 17, had been quietly fixed by Mirror developers on May 9. The developer team had made no comment on whether the bug had already been noticed or exploited previously. 

The Mirror Protocol team has yet to make any statement about the exploit, which has prompted criticism from the community. FatMan, however, thinks there is no “compelling evidence” indicating the entity responsible for the hack was an insider.

It’s not the first time a DeFi exploit took time to discover, though this is by far the longest it has taken. It had previously taken six days for the Ronin team to realize they’d been exploited for $600 million.

Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.