How the Mirror Protocol got Exploited

1 Attack

1.1 Preparation

The transaction https://finder.terra.money/classic/tx/29C9CFBBC9562100A5DB19D705E440CE24768D3BDE399507FA1C2EC2424413C4 is used to prepare the attack.

1.2. Attack

The Mirror Protocol does not check the duplication of the position ID. In this case, the attacker can feed many duplicate position IDs to unlock the locked amount in one position over and over again. As such, the number of unlocked amount will be duplicated many times (which is much bigger than the correct value).

2. Bug Fix

The vulnerability was fixed in this commit.

3. Conclusion

As pointed out by @FatMan and other community members, this bug existed for a couple months and has been exploited in the wild. We believe that silently patching a vulnerability which has already been exploited in the wild is not a good security practice. Besides, we also think the high-profile DeFi projects should deploy some gate keepers to actively monitor the status of their apps and get alerted when something unusual happened.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store