Was there a security hole in the lock contract?

The last bugfix for the lock contract (deployed on the chain on May 9, source published on github on May 14) prevented users from calling unlock_position_funds with duplicate IDs, for example:

{
  "unlock_position_funds": {
    "positions_idx": [
      "12345",
      "12345",
      "12345"
    ]
  }
}

This would lead to unlock_amount being many times more than it should be.

If any Mirror devs or any blockchain Rust hackers are reading this: was this bug exploitable in practice and could it have allowed attackers to steal funds from the contract?

The diff can be read on github here.

2 Likes

I traced this down a bit. It does look like it maybe it was security hole. Someone can review transaction to see if and who used it. Maybe at least reporting it something could happen. It would take me about 4 hour of work to figure it out.

1 Like

It would also explain why they could not release the source before deployment. But after deployment two sentences of explanation plus the source could have saved days of confusion and wasted time.

And we still don’t know. I am just a random person with guesses. Would I be wasting my time to see if somebody used the exploit or not? I wish we had the two sentences of explain from the development team why the contract was changed.

1 Like

Thanks, @Mirroruser, I agree. The devs “smuggled” the fix together with the short rewards change and as you say they couldn’t release the source before deployment if it meant disclosing a possible security bug. But a little more info from them could save us hours of work. I also thought about using some Terra REST API to download all TX data related to the lock contract and figure out if/when any funds were stolen. To be honest I’m not sure if it’s worth the effort anymore.

It was used by at least one hacker for year and coast millions of dollars lost to Mirror.

Everything on terra just crumbled like a house of cards /; What a disaster… /;

The transaction from October 2021 found by FatManTerra is the evidence that this security hole was exploited to steal over 88 million UST from the contract. The attacker received 437 times more than he was due.

https://finder.terra.money/classic/tx/08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F

Edit: Fixed the Finder link. Since the launch of Terra 2 the transaction can be found on the Classic chain.

does it make you think that it was linked to why the original Mirror dev team bailed? Could seem them running in fear or sharing the exploit with a friend and then running. or is there a better explanation for why the devs abandoned it?

@Mirroruser Due to the recent de-peg, many other protocols (e.g. Pylon, Kinetic, Mars) are allowing users to unlock positions from lockdrops. Is Mirror Protocol able to do the same?