Community members of the failed Terra project have identified an exploit that threatens liquidity pools and forced the developers to disable the ability to use mBTC, mETH, mGLXY and mDOT as collateral.
Two days after the launch of the updated Terra 2.0, a user named Mirroruser informed the community about an exploit he had discovered, potentially threatening to restart the entire project. According to his observations, a targeted attack is being carried out against the Terra’s Mirror protocol, and the attacker has already stolen assets worth about $2 million.
“This is happening right now. Probably due to the outdated price of the uluna oracle, the mBTC, mETH and mDOT pools have been merged. All other pools will be depleted as soon as new oracle prices become available,” wrote Mirroruser.
Mirroruser attached a list of addresses and completed transactions to his message.
On May 30, adding to Mirroruser’s post, a regular Terra member named FatMan tweeted that the Mirror Protocol issue was identified seven months ago, in October 2021, but neither Mirror Protocol nor Terraform Labs responded to it. FatMan explained to the project participants the potential danger of the events taking place. In his understanding, the problem is that there is still a bug in the current Terra price oracle that tells the system that “LUNC is worth about 5 UST, although it is actually cheaper than a microcent.” Therefore, “for $1,000 in LUNC, an attacker could get $1.3 million in collateral and steal real assets, such as by taking out a loan.”
FatMan warned that as soon as a full-fledged market trading of Terra assets opens, the situation will worsen significantly, and an attacker or a group of attackers will try to merge all the assets in the pools.
“At the moment, the mBTC, mETH, mDOT and mGLXY pools are depleted. After about 12 hours, the market feed will turn on and the attacker will be able to empty all mAsset pools (such as mSPY and mAAPL, mAMZN, etc.),” FatMan tweeted.
Mirroruser and FatMan’s concern was shared by another community member, security specialist Todd G. He wrote that “most #TerraClassic #LUNC validators use an outdated version of the price oracle, publish outdated prices and need to be updated as soon as possible.”
The Mirror Protocol and Terraform Labs teams have not officially reacted to incoming warnings. However, as FatMan learned, the crisis was averted at the very last moment: on May 31, Mirror disabled the use of mBTC, mETH, mGLXY and mDOT as collateral.
It is not known how much could have been stolen as a result of the attack, but a new blow to Terra’s reputation could be the last straw that destroys the very idea of \u200b\u200bthe Terra 2.0 project.
On May 30, it became known that the South Korean prosecutor’s office would involve all the leaders and employees of the Terraform Labs cryptocurrency platform behind the Terra project to testify.
