Researcher discovers vulnerability in the Terra Mirror Protocol that allowed attackers to siphon tens of millions from the project

A crypto researcher who goes by "FatMan" discovered that the Mirror Protocol in the Terra ecosystem contained a serious vulnerability, that was quietly patched with no announcement on May 9. The Mirror Protocol code previously lacked a duplicate check, which meant that attackers could create a short position and then withdraw it repeatedly in the same transaction, taking many times more money than they should have been authorized to withdraw.

FatMan discovered one instance where a person deposited $10,000 and later withdrew $4.3 million. According to FatMan, they found repeated exploits of this type that earned attackers "well over $30 million". Another researcher on Terra forums estimated about $88 million had been exfiltrated from the project in this way, over the many months the bug went undiscovered and unpatched by Mirror developers.