More bad news for Terra as fresh allegations emerge about Mirror Protocol

@FatManTerra is backmost with caller allegations astir Terra’s synthetic assets protocol Mirror. Specifically, an exploit related to Mirror’s fastener contract.

Since the Terra fiasco blew up earlier successful May, @FatManTerra has been lifting the lid connected the interior workings of the Terra ecosystem. The revelations overgarment a representation of suspicious goings-on.

The latest allegations further suggest that Terra users person been connected the earthy extremity of the woody for a batch longer than antecedently assumed.

Mirror Protocol nether the spotlight

Details shared via societal media connected May 26 alleged that Mirror Protocol mightiness not beryllium arsenic decentralized arsenic it claims

@FatManTerra tweeted details of an probe into Mirror’s whale wallets, which helium suspects are actively trying to conceal their power by spreading MIR tokens crossed burner wallets.

“I person recovered grounds that this wallet and related wallets effort precise hard to marque it look similar MIR governance is not majority-controlled by a azygous entity – they bash truthful by splitting up MIR betwixt respective caller anonymous wallets.”

One of these wallets is linked to Terraform Labs CEO Do Kwon via a Decentralized Autonomous Organization (DAO), connected which helium is an advisor.

Tying each of this together, @FatManTerra suggests this whitethorn constituent to elder figures wrong the Terra hierarchy manipulating governance and profiting arsenic a result.

Fresh allegations

@FatManTerra besides tweeted details of an exploit connected the Mirror Protocol that was plugged astir 18 days ago, which coincided with the clip UST mislaid its peg.

🧵👇 What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to the 1 of the astir profitable exploits of each time, allowing an attacker to make $4.3m from $10k successful a azygous transaction? Here's however I discovered this – by axenic serendipity. 🧵👇

— FatMan (@FatManTerra) May 27, 2022

The bug successful question relates to the Mirror fastener contract. Under mean circumstances, users fastener their collateral, and aft a 14-day holding period, they tin usage an unlock relation to merchandise the collateral.

Until the UST implosion, the code which governed the unlock relation did not person a duplicate check. Meaning an attacker could repeatedly merchandise funds aft the 14-day lock-in period.

What’s more, @FatManTerra alleged that Mirror Protocol patched the bug without informing the Mirror assemblage that it adjacent existed.

So – this bug exists and was softly patched up – but we don't cognize if anyone ever noticed it oregon exploited it before. It would beryllium hard to cheque since you would request to sift done months of concatenation information and millions of transactions – the Mirror forum didn't bother. (5/12)

— FatMan (@FatManTerra) May 27, 2022

Further investigations amusement attackers person exploited the bug hundreds of times since October 2021.

Two coffees later, arsenic I was astir to springiness up, I recovered this. Hold on… What's going connected here? A azygous transaction from October 2021 unlocking 1 presumption implicit and implicit again – and it really executed. Here's the transaction: https://t.co/2pbiwqKWNT (9/12) pic.twitter.com/lklZHIYQqV

— FatMan (@FatManTerra) May 27, 2022

Suspicions were further acceptable disconnected erstwhile 1 of the wallets progressive timed a UST dump conscionable earlier the suspension of the Terra pegging mechanism.

A assemblage researcher nether the username PF92 said astatine slightest 88 cardinal UST was stolen done this vulnerability.

@FatManTerra signed disconnected the tweetstorm by saying helium doesn’t cognize who is liable but volition proceed investigating.

And that's however with a small spot of luck and a batch of research, I recovered retired astir 1 of the top yet astir elemental astute declaration exploits successful blockchain past that went nether the radar for astir a year. Who did this? I person nary idea, but I'll effort to find out. (12/12)

— FatMan (@FatManTerra) May 27, 2022