I traced this down a bit. It does look like it maybe it was security hole. Someone can review transaction to see if and who used it. Maybe at least reporting it something could happen. It would take me about 4 hour of work to figure it out.
It would also explain why they could not release the source before deployment. But after deployment two sentences of explanation plus the source could have saved days of confusion and wasted time.
And we still don’t know. I am just a random person with guesses. Would I be wasting my time to see if somebody used the exploit or not? I wish we had the two sentences of explain from the development team why the contract was changed.
Thanks, @Mirroruser, I agree. The devs “smuggled” the fix together with the short rewards change and as you say they couldn’t release the source before deployment if it meant disclosing a possible security bug. But a little more info from them could save us hours of work. I also thought about using some Terra REST API to download all TX data related to the lock contract and figure out if/when any funds were stolen. To be honest I’m not sure if it’s worth the effort anymore.
The transaction from October 2021 found by FatManTerra is the evidence that this security hole was exploited to steal over 88 million UST from the contract. The attacker received 437 times more than he was due.
does it make you think that it was linked to why the original Mirror dev team bailed? Could seem them running in fear or sharing the exploit with a friend and then running. or is there a better explanation for why the devs abandoned it?