Mirror Exploits

I would like to open discussion about the two recent exploits and other potential exploits.

To my knowledge I was the first to make the public aware of the recent mint lock contract issue on May 9. You can see my original post link below. At the time I didn’t know what the official cause was, I just knew there was an issue. I spent days trying to get ahold of someone on the “dev” team to no avail. I ended up messaging with individual users to assist in helping them unlock funds.

On May 28, I discovered the most recent exploit as it was happening. It took me a little bit of time to do analysis to verify what was happening and I posted about it immediately on the forums. They were still draining the mBTC, mETH, and mDOT pools as I posted. There was still time to save mGLXY and all other pools. Given my experience trying to get someone to help resolve the previous issue, I felt my only option was to post on the forum. Anything else was a waste of time.

If you read the official mirror documentation you can learn about a bug bounty program up to $150k. I think the most recent issue would be considered the most severe possible bug as it was on a path to drain everything. However, when you try to send a email to “security@mirror.finance” you get a bounce back.

So, is there a bug bounty? Should there be a bug bounty?

A couple of weeks ago, it seems maybe the dev team just abandoned the project but its clear they haven’t. They just do not want to say anything publicly.

In theory, this is supposed to be a DAO. However, it is not as the mirror team holds all voting power. What do you guys think about opening a poll for the bug bounty? I 99% sure it won’t pass as the only vote that matters will not vote. BUT, I would like to do it anyways as it gives us more information to what is going on about the dev team’s involvement. In the last few months, has anyone heard anything, either officially or unofficially, from the only vote that matters in this protocol? I for one have not.

There are some nuances of responsibility and liability of the luna price oracle, but I think its all the same team that has all the voting power?

References:

First exploit related post. The content is wrong as the migration was not the hack but was first public knowledge of a real exploit : SIMP-3: Change Short-Farm Maximum Reward Allocation from 40% to 100% - #210 by Mirroruser

Recent exploit discovery: Another exploit - #3 by tommyhuke

Bug bounty: Security - mirror

1 Like

Just to make it clear for everyone, you were claiming in multiple posts that the poll 273 (“Change Short-Farm Max Reward allocation from 40% to 80%”) was an exploit or a “hack”. This was later disproved. However it’s true that you were the first who warned us all that the lock contract had become empty.

Certainly you were the first who wrote about the attack on mBTC, mETH and mDOT caused by invalid LUNC oracle price.

The bug bounty program is probably obsolete, like much of the content on docs.mirror.finance. Unfortunately I don’t think that any public forum posts about vulnerabilities would qualify for the program anyway.

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:

  • (…)
  • Use only security@mirror.finance to discuss vulnerabilities with us.
  • Keep the details of any discovered vulnerabilities confidential until they are fixed.

Thanks for the follow up. I thought I had made that clear in my post with the sentence “The content is wrong as the migration was not the hack but was first public knowledge of a real exploit” . And it was only ONE post that I said “I think” the migration was the hack.if you read any other post I say I don’t know. If I had the source I would know. If you read the link you posted you can read my follow up after I saw the source.

The only reason for mentioning the first was one to illustrate that there is no way to communicate the issue. “Keep the details of any discovered vulnerabilities confidential until they are fixed” to me means just sit on the information. I should not have posted about the second issue?. Remember that it was one day before the mglxy got whipped out. Anyone reading the post could have save their mglxy value. So what is your point in highlighting that I was wrong about the source of the first hack?

One thing that is not obsolete yet is the millions of dollars in locked value.

How do you imagine a bug bounty program without the ability to report bugs privately to the team? It makes no sense. On Mirror the only options you currently have if you find a security bug: 1) write about it publicly so that other attackers can abuse it; 2) exploit the bug yourself; 3) do nothing. A bounty should be a financial incentive to report the bug privately instead. On Mirror it’s not possible.

In the most recent case, yes, it was beneficial that you wrote on the forum so that other users had some time to prepare. An attack on other assets was probably planned anyway and it took the devs (I’m not sure if Mirror, Band or others) “only” about 48h to react. In case of other bugs it could be very different.

Yes I agree with most everything you said. But in these two cases I used option an option four. Alert users so they can try to save money from the hackers and try to get somebody to do something about it. What option would you have picked?

Was my first post also useful in alerting users if they used the system their funds would be locked as ust went from 80cents to 20 cents?

What do you think should be done with the millions in “community funds”?. Should maybe we award people that try to save users from hackers?

Has anyone lost anything significant in these exploits? The reason I ask is because I still have some active Mirror platform insurance that I was not using, as I had liquidated all my holdings there. Perhaps someone is interested in making a deal?