An intricate exploit on the Terra blockchain has led to a massive theft of about $5 million in various cryptocurrencies. The stolen assets include around 60 million ASTRO tokens, 3.5 million USDC, 500,000 USDT, and 2.7 BTC. Beosin, a smart contract audit firm, disclosed the breach stating, “Terra blockchain was exploited for ~60M $ASTRO, 3.5M $USDC, 500k $USDT, and 2.7 $BTC.”

Details of the Terra Blockchain Hack and Outage

Security researcher Rarma confirmed that the exploit was related to the IBC hooks exploit from April. The attacker utilized a malicious CosmWasm contract through IBC interactions to trigger the MsgTimeout within the IBC hook’s OnTimeout callback repeatedly. This flaw enabled recursive execution of the OnTimeout callback’s logic, potentially leading to loss of funds or unexpected token minting on chains using ibc-hooks to integrate ICS-20.

The vulnerability, present since April, allowed the attacker to manipulate the IBC transfer process, mint tokens on Terra, and transfer them off the platform. The attacker minted tokens using a contract, IBC call with IBC hooks, and timeouts, resulting in the exploit of 3.5 million axlUSDC, 500k USDT, 2.7 BTC, and 60m ASTRO tokens.

Following the breach, the hacker bridged the stolen assets back to Ethereum and swapped them for Ether (ETH). To counter the security breach, the development team swiftly stopped the blockchain to prevent further exploitation and deployed an emergency patch after four hours. This patch reinforced the blockchain’s security and resumed normal activities.

LUNC, the native token of Terra, was trading at $0.00008039, showing a decrease of -3.3% in the last 24 hours.