Was there a security hole in the lock contract?

PF92 · May 17, 2022, 8:13am

The last bugfix for the lock contract (deployed on the chain on May 9, source published on github on May 14) prevented users from calling unlock_position_funds with duplicate IDs, for example:

{
  "unlock_position_funds": {
    "positions_idx": [
      "12345",
      "12345",
      "12345"
    ]
  }
}

This would lead to unlock_amount being many times more than it should be.

If any Mirror devs or any blockchain Rust hackers are reading this: was this bug exploitable in practice and could it have allowed attackers to steal funds from the contract?

The diff can be read on github here.

Mirroruser · May 17, 2022, 8:21pm

I traced this down a bit. It does look like it maybe it was security hole. Someone can review transaction to see if and who used it. Maybe at least reporting it something could happen. It would take me about 4 hour of work to figure it out.

github.com/CosmWasm/cosmwasm

Allow differentiation of existent and non-existent keys in Storage.remove

opened 12:09PM - 20 Apr 20 UTC

webmaster128

std vm maybe

The current interface ```rust pub trait Storage: ReadonlyStorage { // .….. fn remove(&mut self, key: &[u8]) -> StdResult<()>; } ``` doen't allow to differentiate if a key existed before removal or not. If this becomes an interesting information, the trait and its implementations can be changed to ```rust pub trait Storage: ReadonlyStorage { // ... /// Returns true iff an removal happened, i.e. the key existed before. fn remove(&mut self, key: &[u8]) -> StdResult<bool>; } ```

Mirroruser · May 17, 2022, 8:26pm

It would also explain why they could not release the source before deployment. But after deployment two sentences of explanation plus the source could have saved days of confusion and wasted time.

And we still don’t know. I am just a random person with guesses. Would I be wasting my time to see if somebody used the exploit or not? I wish we had the two sentences of explain from the development team why the contract was changed.

PF92 · May 18, 2022, 8:12am

Thanks, @Mirroruser, I agree. The devs “smuggled” the fix together with the short rewards change and as you say they couldn’t release the source before deployment if it meant disclosing a possible security bug. But a little more info from them could save us hours of work. I also thought about using some Terra REST API to download all TX data related to the lock contract and figure out if/when any funds were stolen. To be honest I’m not sure if it’s worth the effort anymore.

hell0men · May 27, 2022, 5:10am

It was used by at least one hacker for year and coast millions of dollars lost to Mirror.

FreddieChopin · May 27, 2022, 6:04am

Everything on terra just crumbled like a house of cards /; What a disaster… /;

PF92 · May 27, 2022, 11:25am

The transaction from October 2021 found by FatManTerra is the evidence that this security hole was exploited to steal over 88 million UST from the contract. The attacker received 437 times more than he was due.

https://finder.terra.money/classic/tx/08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F

Edit: Fixed the Finder link. Since the launch of Terra 2 the transaction can be found on the Classic chain.

whydefi · May 28, 2022, 3:20pm

does it make you think that it was linked to why the original Mirror dev team bailed? Could seem them running in fear or sharing the exploit with a friend and then running. or is there a better explanation for why the devs abandoned it?

direso.atf · May 28, 2022, 11:45pm

@Mirroruser Due to the recent de-peg, many other protocols (e.g. Pylon, Kinetic, Mars) are allowing users to unlock positions from lockdrops. Is Mirror Protocol able to do the same?