The $90 million Terra hack came to light seven months later
In October 2021, the Mirror Protocol app running on the Terra Classic platform fell victim to intruders. The theft was only detected in mid-May.
According to BlockSec, the weird transaction was noticed by a member of the Terra community. Well known online as FatMan, the user has been one of the most ardent opponents of the recent launch of the new Terra blockchain.
Unknown users found a bug in Mirror Protocol software and used it to withdraw about $90 million. To trade shares in the app, users had to unlock a previously deposited pledge amount using an identifier generated by a smart contract. Because of a bug in the application code, Mirror checked the identifier only once but did not do it when someone used it repeatedly.
In October 2021, attackers noticed that they could use a list of recurring identifiers to repeatedly unlock pledge amounts, a bug they took advantage of.
BlockSec believes the hack probably left unnoticed because a small number of users scanned Terra for problems compared to Ethereum and Ethereum-compatible chains. Moreover, the Mirror Protocol website lacked an interface to check the total pledge amount in the protocol, making it much more difficult to detect the vulnerability.
Subscribe to our Telegram channel for the most relevant, interesting, and informative news from the crypto industry.