Mirror Protocol Governance Attack
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Mirror Protocol is a Terra project which allows the creation of synthetic assets that mirror other assets like stocks. The protocol uses a governance protocol. This protocol was attacked by creating a large number of malicious proposals that give funds to the attacker ($40m in total). There doesn't appear to be any indication that any funds were actually sent to the attackers.
About Mirror Protocol
"Mirror is a DeFi protocol powered by smart contracts on the Terra network that enables the creation of synthetic assets called Mirrored Assets (mAssets). mAssets mimic the price behavior of real-world assets and give traders anywhere in the world open access to price exposure without the burdens of owning or transacting real assets."
"The minting of mAssets is decentralized and is undertaken by users throughout the network by opening a position and depositing collateral. Mirror ensures that there is always sufficient collateral within the protocol to cover mAssets, and also manages markets for mAssets by listing them on Terraswap against UST."
"The Mirror Token (MIR) is minted by the protocol and distributed as a reward to reinforce behavior that secures the ecosystem. With it, Mirror ensures liquid mAsset markets by rewarding MIR to users who stake LP Tokens obtained through providing liquidity. Also to incentivize users to ensure mAssets to mimic the price behavior of real-world assets, users who stake sLP Tokens obtained through shorting mAssets are rewarded with MIR. MIR is valuable as it is can be staked to receive voting privileges and to earn a share of the protocol's CDP withdrawal fees."
"Mirror is a project developed and steered by its community: its markets are maintained by its own users through MIR incentives, and the protocol evolves with new ideas through democratic governance."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"A series of fraudulent polls have recently been launched against Mirror Protocol in an effort to steal tens of millions of dollars and bring it down." "The attackers are also flooding the governance page with fake polls in hopes that people cannot find polls like 185 and to confuse them. They have also timed their attacks to coincide with the Christmas and New Years holidays hoping to catch the MIR community sleeping and off-guard."
| Date | Event | Description |
|---|---|---|
| December 24th, 2021 10:42:30 AM MST | Concern Raised On Mirror Finance Forum | The concern is raised on the Mirror Finance forum[5]. |
| December 25th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| December 25th, 2021 11:34:00 AM MST | CertiK Tweet | The CertiK community leaderboard shares a tweet to warn the community about the governance proposals[6][7]. |
Technical Details
"Mirror Protocol is sufferring by a planned governance attack. The attacker launched a series of fake polls to defraud the $MIR token in the governance page. So far, the proposals 185, 198, 204, 206, 207, 208 are idenfied as scam proposals. Please try to vote NO on these polls. If attacker got success it might caused 30+ M worth $MIR tokens on Terra."
"A series of fraudulent polls have recently been launched against Mirror Protocol in an effort to steal tens of millions of dollars and bring it down." "The attackers are also flooding the governance page with fake polls in hopes that people cannot find polls like 185 and to confuse them. They have also timed their attacks to coincide with the Christmas and New Years holidays hoping to catch the MIR community sleeping and off-guard."
Total Amount Lost
"The summation of MIR trying to be stolen via these attacks are worth over $40 million, or 1/3rd of the community pool."
It doesn't appear that any MIR was actually lost.
Immediate Reactions
Mirror Finance Forum Thread Discussion
The concern over the proposals was raised on the Mirror Finance forum. A wide range of amounts and addresses exist in proposals to receive funds[5].
A series of fraudulent polls have recently been launched against Mirror Protocol in an effort to steal tens of millions of dollars and bring it down. Terra Network needs to investigate these scammers before they launch more attacks on other protocols. Based on the coordination and large amounts of money these attackers have, this does not appear to be some random attackers, but a coordinated effort by wealthy individuals or organizations with large funds.
The attackers are also flooding the governance page with fake polls in hopes that people cannot find polls like 185 and to confuse them. They have also timed their attacks to coincide with the Christmas and New Years holidays hoping to catch the MIR community sleeping and off-guard.
Polls that would damage MIR:
185 - Sends 15 million MIR ($37 million) to wallet terra1kgj5ceav2hzf5k7gx8y8u5rz8szx36e9zupjgn created on December 22, 2021
198 - Sends 2 million MIR ($5 million) to wallet terra1ad5zatt0490urv9ydtka05my9xlp0aw6u0q9jd created on November 17, 2021
204 - Sends 25,000 MIR ($50,000) to wallet terra1ng7h7j22tc5588j2vny29yg39auv5ptl7mnga8 created on December 24
206 - Sends 250,000 MIR ($500,000) to wallet terra180n6xmgyeh7ndzt8r2aav6lqhwyw8drnedxp7c created on December 24
207 - Sends 250,000 MIR ($500,000) to wallet terra180n6xmgyeh7ndzt8r2aav6lqhwyw8drnedxp7c created on December 24 (same as 206)
208 - Original Poll 177 Scammer that originally tried sabotaging MIR by reweighing mDOT, mETH, and mBTC, before trying to starting the fraud
Please spread the word and hopefully this gets taken up by Terra since these attackers are using various Terra addresses to sabotage ecosystems within the Terra Network.
The summation of MIR trying to be stolen via these attacks are worth over $40 million, or 1/3rd of the community pool.
The following polls are issuing real warnings against the scammers: 190, 201, 202, 203, 205, and 209.
The community was overall supportive that these proposals were not beneficial to the community and warned that members need to be cautious when considering new proposals in the future.[5]
Tweet And CertiK Community Leaderboard
CertiK shared a warning about the fraudulent polls on their community leaderboard and on Twitter[7].
The @terra_money's @mirror_protocol is under governance attack. The attacker is flooding a series of fake polls to confuse the community. The scam proposals are 185,198,204,206,207,208. Please vote NO to these proposals.
Ultimate Outcome
TBD
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
This case does not appear to have resulted in a loss to any individual. However, all smart contracts require care to be exercised to prevent loss.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
This case does not appear to have resulted in a loss to any platform. Other cases of loss can be prevented through more comprehensive security reviews. Victims could be assisted through an industry insurance fund.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
It does not appear that any funds were lost in this case. Other cases of loss can be prevented through more comprehensive security reviews. Victims could be assisted through an industry insurance fund.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Mirror Finance Homepage Archive January 9th, 2022 1:08:38 PM MST (Jan 6, 2022)
- ↑ Mirror Finance Docs Archive January 21st, 2022 7:06:16 PM MST (Jan 6, 2022)
- ↑ What is Mirror? - Mirror Finance Docs Archive April 25th, 2022 3:27:39 PM MDT (Jan 6, 2022)
- ↑ Mirror: Reflecting Asset Value On-Chain - DocSend (Jan 6, 2022)
- ↑ 5.0 5.1 5.2 Summary of Latest Attacks on Mirror Protocol - General - Mirror Protocol Forum Archive January 23rd, 2022 7:54:58 AM MST (Jan 6, 2022)
- ↑ CertiK Blockchain Security Leaderboard Archive January 2nd, 2022 8:31:53 AM MST (Jan 4, 2022)
- ↑ 7.0 7.1 CertiK - "The @terra_money's @mirror_protocol is under governance attack. The attacker is flooding a series of fake polls to confuse the community. The scam proposals are 185,198,204,206,207,208. Please vote NO to these proposals. " - Twitter (Jan 7, 2022)