Mirror Protocol Hidden Exploit
$90M drained from Terra-based Mirror Protocol via duplicate-ID collateral unlocks; the loss went unnoticed for seven months until Terra's collapse exposed it.
- Date
- Victim
- Mirror Protocol
- Chain(s)
- Status
- Funds Stolen
In October 2021, the Terra-based synthetic-asset protocol Mirror Protocol was drained of approximately $90 million through a duplicate-ID exploit that went unnoticed for seven months. The breach was only discovered in May 2022 — after Terra's stablecoin had already collapsed and the broader ecosystem was unwinding — by a community analyst known as "FatMan" who noticed an unexplained discrepancy in the protocol's collateral balances.
What happened
Mirror Protocol let users mint synthetic assets ("mAssets") representing real-world securities — mTSLA for Tesla stock, mAAPL for Apple, and so on — by locking collateral in Terra-side smart contracts. To withdraw collateral, the user had to redeem the corresponding mAsset position identified by a position ID.
The bug: the redemption function accepted a list of position IDs without checking for duplicates. An attacker could submit the same legitimate position ID hundreds of times in a single redemption call, and the contract would release the collateral for each repeated ID separately — effectively turning one legitimate withdrawal into many.
A single unknown entity discovered this in October 2021 and used it to repeatedly extract collateral that wasn't theirs. The total drained over the campaign reached ~$90 million. Because the exploit operated through what looked like ordinary redemption flows — just unusual transaction shapes — it left no obvious anomaly in the standard explorer views.
Why it went undetected
Three factors made the loss invisible for seven months:
- Terra had a smaller security-research community than Ethereum, meaning fewer eyes were continually auditing on-chain activity.
- Mirror Protocol had no front-end view that showed the protocol's total locked collateral in aggregate, so the divergence between "what users had deposited" and "what was actually in the contract" had no UI manifestation.
- The attacker did not dump the proceeds on Terra DEXs in ways that would have moved prices or attracted attention; the laundering was slow and deliberate.
The breach was only discovered after Terra's UST stablecoin collapsed in May 2022 and the ensuing forensic deep-dives by community analysts surfaced the old transaction patterns.
Aftermath
- By the time the exploit was identified, Terra had collapsed. Mirror Protocol had effectively ceased operations along with the rest of the Terra DeFi ecosystem.
- No on-chain recovery was possible; the stolen funds had already been bridged, swapped and laundered over the seven-month delay.
- A separate, smaller Mirror Protocol exploit in May 2022 was discovered shortly after.
Why it matters
Mirror Protocol is one of the most striking examples of "silent" DeFi exploits — where a meaningful drain happens, no one notices, and the protocol's reported metrics continue showing healthy state while reserves quietly deplete. The defensive answers — automated solvency monitoring (TVL-against-circulating-mAsset checks, in this case), on-chain alerts when reserve ratios drift outside expected bands, community-funded continuous-monitoring services — have become standard practice for serious DeFi protocols since, but were absent at Mirror.
The deeper, uncomfortable lesson: "no one has reported a hack" is not the same as "no hack has occurred". For seven months, the on-chain evidence was sitting in public, and the absence of an alert system to surface the discrepancy was itself the attack surface.
Sources & on-chain evidence
- [01]theblock.cohttps://www.theblock.co/post/149342/a-90-million-defi-exploit-on-terra-went-unnoticed-for-seven-months
- [02]coindesk.comhttps://www.coindesk.com/business/2022/05/30/terras-mirror-protocol-allegedly-suffers-new-exploit
- [03]bitcoinist.comhttps://bitcoinist.com/defi-built-on-terra-succumbed-to-a-90-million/