The Mirror Protocol deFi-application, based on an older version of the Terra blockchain, was exploited in October 2021. The attack resulted in $90 million being withdrawn from the protocol, but the hack went undetected until last week.
Mirror Protocol allowed customers to trade shares of companies using synthetic assets.
The attack was reported by a Terra community member with the nickname FatMan. His assumption was confirmed by analytical company BlockSec.
The analysts found that when a user wanted to open a short position in Mirror Protocol, he had to bail out for at least 14 days. Once the user stopped trading, all assets could be returned back to the wallet. An identifier generated by the smart contract was used to recognize the owner of the assets. However, there was a bug in the code that caused the smart contract not to check, the identifier.
In 2021, the attacker was able to use the same identifiers and take a total of about $90 million out of Mirror Protocol.
BlockSec said the attack was not known about simply because less attention has been paid to data analysis on the Terra blockchain than other popular networks.
The Mirror Protocol developers fixed the bug in May, the same time the UST detachment occurred.