Mirror Protocol (REKT 2): Missing Duplicate-Call Check (Re-entrancy variant)
Mirror Protocol was silently drained of $90M over 7 months via a missing duplicate-call check on its lock contract — a bug that was then patched without any public announcement, before a second $2M exploit hit the day after the theft was publicly exposed.
Summary #
Mirror Protocol (REKT 2) suffered a Synthetic Assets / Derivatives on 2022-05-31, resulting in a loss of approximately $92M.
What happened #
Mirror Protocol was silently drained of $90M over 7 months via a missing duplicate-call check on its lock contract — a bug that was then patched without any public announcement, before a second $2M exploit hit the day after the theft was publicly exposed.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y (Exploit 2 only — LUNA depeg oracle inconsistency)]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — silent patch on May 14, 2022 without disclosure]