Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
Cloud Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
Cloud Penetration Testing
Secure your cloud with Hacken's expert penetration testing. Our certified team delivers tailored security solutions for AWS, Azure, Kubernetes, and more, ensuring your data's safety.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Manipulations with price oracles. Mirror Protocol Exploit.

Manipulations with price oracles. Mirror Protocol Exploit.

Share via:

Hackers exploited Mirror Protocol, and the devs couldn’t do anything about it. The attacker stole more than $90m in October 2021 but this incident used to be completely unnoticed until the last week. And at the end of May 2022, the project experienced one more incident resulting in $2M drained from the protocol. A bug in the pricing oracle allowed the hack. We will explain the concept of price oracles and examine their role in Mirror Protocol exploit.

What are price oracles and how do they work

In a broader context, a price oracle is any tool showing an asset’s price. Your app or browser can be a price oracle. But in the context of smart contracts and DeFi protocols, a price oracle is a functional design that the code uses to get the price information about a given asset on-chain.

Manipulations with price oracles

The most secure on-chain price oracles are highly decentralized, which helps them resist manipulations. However, many developers design their price oracles on an ad-hoc basis paying little attention to security and decentralization. As a result, their ecosystems have lost millions of dollars due to hacks targeting the oracle implementation.

Mirror Protocol Exploit

On May 30, @FatManTerra discovered the exploit of Mirror Protocol’s price oracle. FatMan said the attacker had already drained $2m and warned that “the attack will get worse when markets open tomorrow.”

How did it happen?

Most strikingly, the bug that allowed the exploit went unnoticed for eight months. Mirror Protocol lets users take bets against stocks. It was built on Terra. A bet required locking collateral in UST, LUNC, or mAssets for two weeks. The collateral would return after the trade. Yet, Mirror’s smart contract didn’t check whether the same ID was used more than once. On Oct 8th, 2021, the hacker exploited this bug to unlock hundreds of times more collateral.

Mirror Protocol Exploit is rather ironic because it relates to Terra and Luna’s collapse. Terra Classic validators reported the price of the new Terra 2.0 $LUNA ($6.23) coin instead of its worthless predecessor Terra Classic $LUNC ($0.00009). The price oracle software was allegedly outdated: the 1old API endpoints, distribution, supply, and trading market. Two weeks ago, we warned the community that establishing Luna 2.0 would create new opportunities for scammers. This proved to be true. The undynamic and rigid price oracle network of Mirror Protocol could not handle the $LUNA -> $LUNC rebranding.

Responding to the Attack

The $2m-hack could have been prevented with proper coordination and management of price oracles during the $LUNA to $LUNC transfer. DeFi platforms can avoid this exploit with a smart contract audit and bug bounty. These two services help discover critical bugs and faulty price oracle designs before it is too late.