Mirror Protocol
HackedDeFi · $MIR · ✝ 2021
A duplicate-call bug let the same deposit be unlocked again and again.
Mirror Protocol was a Terra-based synthetic-assets platform that let users mint tokenized stocks (mAssets). A duplicate-call exploit let an attacker repeatedly withdraw the same locked collateral, draining roughly $90M before the bug was noticed.
- Peak
- ~$90M stolen
- Cause
- Hacked
- Year of death
- 2021
☠️ Cause of death
A flaw allowed a single unlock message to be processed multiple times, releasing far more collateral than was ever deposited.
📓 Lessons left behind
- —Validate that each lock can be unlocked exactly once.
- —Idempotency bugs in withdrawal logic are silent killers.
- —Audit message-handling paths for replay and duplication.
🌱 The idea that survived
Withdrawal invariant testing
Highlighted the need for invariant tests proving collateral out never exceeds collateral in.
#defi#synthetics#terra