FatMan on Twitter: "Yeah, I can't believe it took me that long to put two and two together, and I also can't believe Mirror devs were completely silent the whole time even after implementing the fix… https://t.co/3N8maK0Uvg"

Country	Code	For customers of
United States	40404	(any)
Canada	21212	(any)
United Kingdom	86444	Vodafone, Orange, 3, O2
Brazil	40404	Nextel, TIM
Haiti	40404	Digicel, Voila
Ireland	51210	Vodafone, O2
India	53000	Bharti Airtel, Videocon, Reliance
Indonesia	89887	AXIS, 3, Telkomsel, Indosat, XL Axiata
Italy	4880804	Wind
3424486444	Vodafone
» See SMS short codes for other countries

Call it luck, magic, or God's will - whatever you believe in - a source fell into my lap inadvertently revealing that this attack had indeed been executed hundreds of times since 2021. Before today, this was not known by anyone at all. Let's go meet the attacker, shall we? (6/12)

1 reply 14 retweets 183 likes

Show this thread

FatMan‏ @FatManTerra May 26

I happened to look at a DM (I can only read a fraction of my DMs!) and almost binned it, but something in me told me to look into the address. The man was right - the address indeed had eerily perfect timing, almost as if they had word directly from TFL. Besides the point. (7/12)pic.twitter.com/U2mJk38ub5

9 replies 25 retweets 223 likes

Show this thread

FatMan‏ @FatManTerra May 26

Here is the address for your perusal. https://etherscan.io/address/0xdb886bf718fbf354eb4202b03ad13b1cafb01276 … I was able to map this address to a Terra wallet via bridge tracing, and it had some large and interesting transactions, so I decided to dig in. Here's the Terra wallet. https://finder.terra.money/mainnet/address/terra1200zm8crgjaj949ta8r7p6pay0qq638js4sdmh … (8/12)

3 replies 10 retweets 145 likes

Show this thread

FatMan‏ @FatManTerra May 26

Two coffees later, as I was about to give up, I found this. Hold on... What's going on here? A single transaction from October 2021 unlocking one position over and over again - and it actually executed. Here's the transaction: https://finder.terra.money/mainnet/tx/08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F … (9/12)pic.twitter.com/lklZHIYQqV

16 replies 42 retweets 249 likes

Show this thread

FatMan‏ @FatManTerra May 26

The lock contract didn't check that the funds were sent from the mint contract, so the attacker opened a position with $10 in collateral (!) and send $10k directly to the lock contract. They could then loop-unlock others' collateral over and over again from the contract. (10/12)

1 reply 13 retweets 171 likes

Show this thread

FatMan‏ @FatManTerra May 26

In one transaction, the attacker turned $10,000 into $4,300,000. This was actually done several times, generating a total of well over $30m. All of this went completely unnoticed by TFL and the Mirror team & community. This is the first time this attack has been revealed. (11/12)

14 replies 58 retweets 380 likes

Show this thread

FatMan‏ @FatManTerra May 26

And that's how with a little bit of luck and a lot of research, I found out about one of the greatest yet most simple smart contract exploits in blockchain history that went under the radar for almost a year. Who did this? I have no idea, but I'll try to find out. (12/12)

11 replies 24 retweets 327 likes

Show this thread

FatMan‏ @FatManTerra May 26

PS. They tried hard to obfuscate their cashouts on Ethereum, but we're looking for them, and I hope we find them eventually. My team of researchers and I are hard at work - you can hide IRL, but the blockchain never forgets.pic.twitter.com/RHpE5u4hn2

26 replies 54 retweets 570 likes

Show this thread

FatMan‏ @FatManTerra May 26

Afterthought: I just realized that the attacker siphoning out tens of millions over the year is probably why @ApertureFinance users and Mirror shorters couldn't withdraw the other day - there was no new 'bug' - the Mirror developer team really should have disclosed this...

25 replies 29 retweets 316 likes

Show this thread

Pedro‏ @pedroexplore1 May 27

Replying to @FatManTerra @ApertureFinance

yup. These dips to zero balance on the Mirror contract meant people were trying to withdraw funds that were rightfully theirs....but were not available due to $90M exploit. I can only imagine the confusion of people getting "TX failed"pic.twitter.com/J5oV5AzEAZ

1 reply 0 retweets 13 likes

FatMan‏ @FatManTerra May 27

Replying to @pedroexplore1 @ApertureFinance

Yeah, I can't believe it took me that long to put two and two together, and I also can't believe Mirror devs were completely silent the whole time even after implementing the fix

2:31 PM - 27 May 2022

1 Retweet
21 Likes

1 reply 1 retweet 21 likes

1. Delicious_wine‏ @WineDelicious May 27
  Replying to @FatManTerra @pedroexplore1 @ApertureFinance
  
  Yeah, thanks man. I was amongst the victims, when I finally were able to withdraw, my 20k amounted to 1400$. Good job by the hackers
  
  2 likes
  Thanks. Twitter will use this to make your timeline better. Undo
  
  Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

Tweets

FatMan

@FatManTerra

Tweets

Loading seems to be taking a while.

false

Saved searches

Tweets

FatMan

@FatManTerra

Tweets

Go to a person's profile

Saved searches

Promote this Tweet

Block

Tweet with a location

Your lists

Create a new list

Copy link to Tweet

Embed this Tweet

Embed this Video

Preview

Why you're seeing this ad

Log in to Twitter

Sign up for Twitter

Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

Two-way (sending and receiving) short codes:

Confirmation

Welcome home!

Tweets not working for you?

Say a lot with a little

Spread the word

Join the conversation

Learn the latest

Get more of what you love

Find what's happening

Never miss a Moment

Loading seems to be taking a while.

Promoted Tweet

false