You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
The Mirror Lock contract (that locks your collateral for 14 days when you short) lets you call an unlock function to unlock collateral via a list of position IDs. But they left out something crucial... A duplicate check. This fix was quietly smuggled in 18 days ago. (3/12)pic.twitter.com/hOBJ2Wfnnb
The problem with having no duplicate check is an attacker can create a short position, and after 14 days, they could call their position ID multiple times in a list. This would let them steal funds from the lock contract over and over at little cost and zero risk. (4/12)
So - this bug exists and was quietly patched up - but we don't know if anyone ever noticed it or exploited it before. It would be hard to check since you would need to sift through months of chain data and millions of transactions - the Mirror forum didn't bother. (5/12)
Call it luck, magic, or God's will - whatever you believe in - a source fell into my lap inadvertently revealing that this attack had indeed been executed hundreds of times since 2021. Before today, this was not known by anyone at all. Let's go meet the attacker, shall we? (6/12)
I happened to look at a DM (I can only read a fraction of my DMs!) and almost binned it, but something in me told me to look into the address. The man was right - the address indeed had eerily perfect timing, almost as if they had word directly from TFL. Besides the point. (7/12)pic.twitter.com/U2mJk38ub5
Here is the address for your perusal. https://etherscan.io/address/0xdb886bf718fbf354eb4202b03ad13b1cafb01276 … I was able to map this address to a Terra wallet via bridge tracing, and it had some large and interesting transactions, so I decided to dig in. Here's the Terra wallet. https://finder.terra.money/mainnet/address/terra1200zm8crgjaj949ta8r7p6pay0qq638js4sdmh … (8/12)
Two coffees later, as I was about to give up, I found this. Hold on... What's going on here? A single transaction from October 2021 unlocking one position over and over again - and it actually executed. Here's the transaction: https://finder.terra.money/mainnet/tx/08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F … (9/12)pic.twitter.com/lklZHIYQqV
The lock contract didn't check that the funds were sent from the mint contract, so the attacker opened a position with $10 in collateral (!) and send $10k directly to the lock contract. They could then loop-unlock others' collateral over and over again from the contract. (10/12)
In one transaction, the attacker turned $10,000 into $4,300,000. This was actually done several times, generating a total of well over $30m. All of this went completely unnoticed by TFL and the Mirror team & community. This is the first time this attack has been revealed. (11/12)
And that's how with a little bit of luck and a lot of research, I found out about one of the greatest yet most simple smart contract exploits in blockchain history that went under the radar for almost a year. Who did this? I have no idea, but I'll try to find out. (12/12)
PS. They tried hard to obfuscate their cashouts on Ethereum, but we're looking for them, and I hope we find them eventually. My team of researchers and I are hard at work - you can hide IRL, but the blockchain never forgets.pic.twitter.com/RHpE5u4hn2
Afterthought: I just realized that the attacker siphoning out tens of millions over the year is probably why @ApertureFinance users and Mirror shorters couldn't withdraw the other day - there was no new 'bug' - the Mirror developer team really should have disclosed this...
Two days on, I'd like to correct some claims going around: - I don't believe this was an inside job. No compelling evidence of that yet. - I'm not a 'genius' and I didn't find this all by myself. Story embellished for narrative; the credit goes to my amazing anon research team.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to the one of the most profitable exploits of all time, allowing an attacker to generate $4.3m from $10k in a single transaction? Here's how I discovered this - by pure serendipity.