The DApp of the earlier version of the Terra blockchain (the mirror protocol) experienced a hacker exploit today. MirrorUser (a member of the Terra research forum) was the first to discover the exploit.
The Hack
Fatman, Terra research forum member, confirmed MirrorUser’s discovery. His confirmation came almost immediately after the exploit started. Fatman further said that many pools of tokenized assets would have been at risk if the loophole wasn’t closed fast enough. The developers eventually stopped the exploit after several hours of delay.
Early reports indicate that the hacker exploited a loophole in the pricing oracle for the Terra Classic validators. Mirror protocols, also called mAssets allow users to produce mirrored assets and trade them.
These mAssets are usually a parallel version of the original assets in all characteristics. Also, the price action of mAssets is like that of the original assets. Hence, there are mirror assets for BTC, ETH, Polkadot, and other digital assets. Apart from accessing the pools, the hacker could also drain the token pool for the Galaxy Digital shares (mGLXY).
He used the bug in the pricing oracle to drain the mGLXY. Fatman claims that if the developers hadn’t rescued the situation, the hacker would have drained the token pools of mAAPL and mAMZN in addition to the drained mGLXY. Fatman claimed that he sent several messages to the developers and Do Kwon before the developers eventually stepped in.
The Rescue Mission
Chainlinkgod, a Chainlink community expert, explained that the validators played a part in the exploit. The validators were running an out-of-date version of the oracle software on the previous Terra chain (now renamed Terra Classic). It was the software that enabled the bug in the pricing oracle.
Hence, the validators’ pricing for the new LUNA was that of the old LUNC. The developers fixed the price bug issue just in time. Then, the mirror protocol disabled the collateral use of mBTC, mETH, mGLXY, and mDOT.
Thus, the hacker couldn’t use the fraudulent funds to drain the remaining pools. Some community members predicted that the hack might have been an insider’s job. However, Fatman didn’t agree. He tweeted that the incidence is likely a case of negligence.
Then, he said that the Terra team hadn’t covered themselves in glory based on recent events. But he reiterated that it is unlikely that it was an inside job.
It really just looks like negligence of the highest order, but given what's transpired this month, you can't really put anything past them. I see no reason/evidence to believe this is an inside job at this stage. It's basically a game of who has the fastest bot.
— FatMan (@FatManTerra) May 30, 2022
If the exploit hadn’t been rescued, the hack would have confirmed that there is no hope of a resurgence of the Terra network. Also, a greater success of the hack would mean that Do Kwon and his team would have faced greater scrutiny. Do Kwon is still facing multiple investigations from investors and south Korean authorities over the crash of the previous Terra chain.