Reading time: ~2 m
Members of the community of the failed Terra project identified an exploit threatening liquidity pools and forced developers to disable the ability to use mBTC, mETH, mGLXY and mDOT as collateral.
Two days after the launch of the updated Terra 2.0, a user under the nickname Mirroruser informed the community about the exploit he discovered, potentially threatening to restart the entire project. According to his observations, a targeted attack is being carried out against the Terra’s Mirror protocol and the attacker has already stolen assets worth about $ 2 million.
“It’s happening right now. Probably due to the irrelevant price of the uluna oracle, the mBTC, mETH and mDOT pools are merged. All other pools will be depleted as soon as new oracle prices appear,” Mirroruser wrote.
Mirroruser attached a list of addresses and transactions to its message.
On May 30, adding to the Mirroruser post, a regular member of the Terra community under the nickname FatMan reported in a tweet that the Mirror Protocol problem was identified seven months ago, in October 2021, but neither Mirror Protocol nor Terraform Labs responded to it. FatMan explained to the project participants the potential danger of the events taking place. In his understanding, the problem is that there is still an error in the current Terra price oracle that tells the system that “LUNC costs about 5 UST, although in fact it is cheaper than a microcent.” Consequently, “for $ 1,000 in LUNC, an attacker can get a pledge of $ 1.3 million and steal real assets, for example, by taking a loan.”
FatMan warned that as soon as a full-fledged market trading of Terra assets opens, the situation will deteriorate significantly, and the attacker or a group of intruders will try to drain all assets in the pools.
“At the moment, the pools of mBTC, mETH, mDOT and mGLXY are depleted. After about 12 hours, the market feed will turn on, and the attacker will be able to empty all mAsset pools (such as mSPY and mAAPL, mAMZN, etc.),” FatMan wrote on Twitter.
The concerns of Mirroruser and FatMan were shared by another member of the community, a security specialist named Todd G. He wrote that “most validators #TerraClassic #LUNC use an outdated version of the price oracle, publish irrelevant prices and need to update as soon as possible.”
The Mirror Protocol and Terraform Labs teams have not officially responded to the warnings. However, as FatMan learned, the crisis was averted at the very last moment: on May 31, mirror disabled the use of mBTC, mETH, mGLXY and mDOT as collateral.
It is not known how much could have been stolen as a result of the attack, but a new blow to Terra’s reputation could be the last straw that destroys the very idea of the Terra 2.0 project.
On May 30, it became known that the South Korean prosecutor’s office will involve all the leaders and employees of the cryptocurrency platform Terraform Labs who were behind the Terra project in testifying.
#Terra #Community #Prevents #Attack #Mirror #Protocol #Liquidity #Pools