Terra suffers more turbulence due to a complex security breach, draining $6.8M from the battle-scared chain.

  • Hacker exploits Terra’s outdated security patch to mint tokens out of thin air.

  • This comes just a week after TerraForm Labs announced a repayment plan.

  • Terra’s community identifies the culprit, but the drained funds are long gone.

Trouble keeps finding Terra Luna’s blockchain, as the TerraForm Labs’ native chain was temporarily halted at block 11430400 on July 31, 2024. 

This action was taken after multiple blockchain intelligence platforms sounded the alarm about the drainage of over $6M in digital assets, including 60M of ASTRO tokens, native to Astroport’s liquidity protocol on Terra Luna’s chain.

Besides Astroport’s own token, an eye-watering 3.5M Circle USD (USDC), 500,000 Tether USD (USDT), and 2.7 Bitcoin (BTC) were drained during the incident. 

The hacking incident, which caused damage of $6.8 million, comes just a week after TerraForm Labs issued a crypto loss claim timeline for the downtrodden investors of the 2022 Terra Luna fiasco.

How Terra’s Hacker Exploited the Outdated System

According to Astroport, the network’s Inter-Blockchain Communication (IBC) vulnerability was recognized in April 2024. 

ATTENTION

Terra chain has halted for emergency upgrades.https://t.co/1ClV5KahMO

It appears an IBC vulnerability was exploited in order to mint several tokens on Terra chain, including $ASTRO. As the chain has now halted, no further tokens are able to be minted at this…

— Astroport ✦ (@astroport_fi) July 31, 2024

As Terra’s new chain is not patched, the exploiter managed to mint new tokens onto Terra by utilizing an IBC call contract with IBC hooks and a timeout.

The security breach breakdown by blockchain security audit company Cyvers highlighted that despite the issue being known to the public since April, the upgrade package installed in June 2024 on Terra 2.0 overlooked this, thus paving the way for a security breach.

The hackers used small-scale transfers that have never exceeded 56 LUNA or 7,800 USDC per transaction but still managed to leave with a haul of $6.8 million. 

Soon after, the fraudster used a cross-chain bridge to allocate the stolen funds to Ethereum and swapped the $6.8M loot for Ether (ETH).

While Terra chain’s community confirmed to have identified the culprit’s crypto address, retrieving these digital funds might be impossible. 

The hacker used a third-party module for cross-chain contracts and token transfers between blockchains.

Community Full of Regret: Could This Have Be Prevented?

Terra Luna’s holder community has been vocal about the recent setback, as many crypto enthusiasts expressed their regret about the IBC-related upgrade being reversed in June’s chain upgrade. 

If that wasn’t the cause, the hacking incident could have been prevented, argues Ethan Buchman, the co-founder of Cosmos Chains. 

https://twitter.com/buchmanster/status/1818635038260428982

“Unfortunately, they’re using a fork of IBC, which makes it harder to stay up to date and apply security patches,” says Buchman.

Cosmos Chains co-founder refers to the outdated fork of IBC-go 7.3.x, last updated in September 2023. Because of this, Terra 2.0 missed out on the critical patch that would have prevented the hacker from minting tokens on Terra Luna’s blockchain out of thin air.

“Need an ecosystem wide effort to un-fork as many projects as possible”, – Ethan Buchman contemplates. The accident tremendously affected the chain’s native cryptocurrency, as LUNA fell to $0.369 on August 1, 2024.

The Inter-Blockchain Communication (IBC)- linked exploit affected Terra 2.0 but missed the original Terra Luna Classic (LUNC) chain.

Genuine Labs, which manages Terra Luna Classic’s (LUNC) security status, implemented the relevant patch in May 2024.

Working out the stumbling blocks and applying timely chain upgrades could prevent security breaches due to vulnerable code.