- Hackers are exploiting Terra’s outdated security patch to mine tokens out of thin air.
- This comes just a week after TerraForm Labs announced its repayment plan.
- The Terra community has figured out the culprit, but the depleted funds are long gone.
Terra Luna’s blockchain continues to experience issues. TerraForm Labs’ native chain was temporarily suspended at block 11430400 on July 31, 2024. This action was taken after multiple blockchain intelligence platforms raised alerts that over $6 million worth of digital assets had been lost, including 60 million ASTRO tokens on the Astroport liquidity protocol on the Terra Luna chain.
In addition to Astroport’s own tokens, the breach also resulted in a whopping 3.5M Circle USD (USDC), 500,000 Tether USD (USDT), and 2.7 Bitcoin (BTC) being lost. The $6.8 million hack comes just a week after TerraForm Labs announced a cryptocurrency loss claim timeline for investors affected by the 2022 Terra Luna incident.
How Terra’s Hackers Exploited Old Systems
According to Astroport, the network’s inter-blockchain communication (IBC) vulnerability was discovered in April 2024. Since Terra’s new chain was not patched, the exploiter was able to mint new tokens on Terra by leveraging an IBC call contract with an IBC hook and timeout.
A security breach analysis released by blockchain security audit firm Cyvers found that although the issue had been known to the public since April, an upgrade package installed in Terra 2.0 in June 2024 overlooked it, paving the way for the security breach.
The hackers used small transfers of no more than 56 LUNA or 7,800 USDC per transaction, but still managed to steal $6.8 million. Shortly after, the scammers used a cross-chain bridge to allocate the stolen funds to Ethereum, exchanging the $6.8 million loot for Ether (ETH).
The Terra chain community has identified the perpetrator’s cryptographic address, but it may be impossible to recover these digital funds. The hacker used a third-party module to perform cross-chain contracts and token transfers between blockchains.
The Terra Luna holder community has been vocal about the recent setback, with many crypto enthusiasts expressing regret over the IBC-related upgrade being reversed in the June chain upgrade. Cosmos Chains co-founder Ethan Buchman claims that the hack could have been prevented if it had not been for the cause. “Unfortunately they are using an IBC fork, which makes it harder to keep them up to date and apply security patches.” Burkman says.
The Cosmos Chains co-founder mentioned an old fork of IBC-go 7.3.x that was last updated in September 2023. This caused Terra 2.0 to miss a crucial patch that would have prevented hackers from minting tokens out of thin air on Terra Luna’s blockchain.
“It takes an ecosystem-wide effort to unfork as many projects as possible.”– Ethan Buchman muses. The incident had a huge impact on the chain’s native cryptocurrency, causing LUNA to drop to $0.369 on August 1, 2024.
On the other side
- An exploit related to inter-blockchain communication (IBC) affected Terra 2.0, but did not affect the original Terra Luna Classic (LUNC) chain.
- Genuine Labs, which manages the security posture of Terra Luna Classic (LUNC), implemented relevant patches in May 2024.
Why this matters
Identifying bottlenecks and applying chain upgrades in a timely manner can help prevent security breaches due to vulnerable code.
Check out DailyCoin’s popular cryptocurrency news:
Trump Starts New Side Business Branding as ‘Bitcoin President’
Ripple Rumors Dismissed as SEC Meeting Cancelled Again