$8 000 000 USD

JULY 2021

GLOBAL

THORCHAIN

DESCRIPTION OF EVENTS

"THORChain (RUNE) [is] a decentralized cross-chain transaction protocol." "Creating a secure cross-chain bridge is one of the most important milestones for the industry right now, and the race is on to be the first to provide it." "Founded in 2018, THORChain is a cross-chain exchange that facilitates transactions between the Binance, Ethereum, and Bitcoin blockchains, aiding in a difficult problem of inter-blockchain swaps without being compelled to pay sizable fees each time. This represents a tremendous pain point and the efforts of THORChain have been well-received, pushing up a token from a low of $0.00851264, two years ago, to a high of $20.89 two months ago." "THORChain entered into its guarded “Chaosnet” launch during April, facilitating cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash and Binance Chain networks."

 

"THORChain don't have assets synthetically tied to a price using an oracle, rather arbitrage trading bots and individuals, seeking to squeeze a profit from the price differences of an individual cryptocurrency on different blockchains, keep the liquidity pool's volume high in the midst of regularly large price swings. Passive liquidity providers earn a steady stream of rewards, often representing an APR of 10%+, even after technical considerations like "impermenant loss" that chips away at total return if the tokens, when removed from the liquidity pool, that aren't at 100% at the same radio value as when you first staked them."

 

"Following last week's hack, Thorchain said it had been audited by multiple blockchain security companies to locate bugs in a given network." "There were really only two options. Launch and accept the risk of issues, or not launch and stay in the 90% complete audit-review cycle for another six months. Both are difficult," Thorchain said." "The THORChain state machine and the BNB Bifrost Code was audited as part of Single Chain Chaosnet, but the updated MCCN state machine and its new MCCN Bifrosts were not. They were scheduled in with TrailOfBits, which unfortunately had not begun at the time of the first Exploit."

 

"THORChain (RUNE) said it was attacked again, and many ERC20 tokens including XRUNE were affected. This attack targeted ETH routing and lost 8 million U.S. dollars." For ThorChain, this was "its third critical attack in a month." "An attacker tricked the Bifröst protocol into accepting a fake deposit, then received a refund for the assets even though it hadn't deposited any to the protocol."

 

"THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat." "THORChain suffered two back to back exploits. The first took all the ETH from the system via an attack contract that sat in front of the Router, and the second took all the economically significant ERC20s via an attack contract that sat behind the router."

 

"The team behind the project took to Twitter to announce that a hacker had carried out a “sophisticated attack” earlier this morning. The hacker used their own contract to trick THORChain’s Bifröst protocol into accepting a deposit of assets even though they hadn’t made any deposit. This essentially meant that they could receive a free refund without adding any funds to the protocol." "In both cases the exploits were able to trick the Bifrost into reporting receiving assets it had not. The root cause was a Bifrost interface that did not fully account for the degrees of manipulation that can occur in smart contract events."

 

"What was unknown at the time, was that there was another critical vulnerability in the ETH Router. The attacker created a fake router, then a deposit event emitted when the attacker sent ETH. The attacker passes returnVaultAssets() with a small amount of ETH, but the router is defined as an Asgard vault. On the Thorchain Router, it forwarded ETH to the fake Asgard. This creates a fake deposit event with a malicious memo. The Bifrost intercepts as a normal deposit and refunds to an attacker due to a bad memo definition."

 

"THORChain says the attacker made off with around $8 million." "Impact (~$8M USD) 966.62 ALCX 20,866,664.53 XRUNE 1,672,794.010 USDC 56,104 SUSHI 6.91 YFI 990,137.46 USDT" "The hacker left a note suggesting that they could have taken more than $8 million, adding that they spotted “multiple critical issues.”" "The attacker "intentionally limited the impact of the attack, which seems to be done by a white hat."" "THORChain said that the hacker was “seemingly a whitehat” because they made less impact than they could have done, and revealed that the hacker had requested a 10% bounty that would be awarded if they reach out."

 

“Could have taken ETH, BTC, LYC, BNB, and BEP20s if waited Wanted to teach lesson minimizing damage. Multiple critical issues. 10% VAR bounty would have prevented this. Disable until audits are complete. Audits are not a nice to have. Do not rush code that controls 9 figures.”

 

"The THORChain team and community have kicked off a 5-Pronged Plan to address, fix and recover." "ETH will be halted until it can be peer-reviewed with audit partners, as a priority. LPs in the ERC-20 pools will be subsidised." "The THORChain treasury will cover all losses to LPs. Nodes are not affected."

 

"The network has a ~$16m insolvency to deal with. The plan is: 1/3rd ($5.3m) will be directly contributed from the treasury assets, 1/3rd ($5.3m) will be loaned from Iron Bank using RUNE collateral and paid off later, and 1/3rd ($5.3m) will be arbed into the network after it is brought back online for trading."

 

The code will undergo the addition of an "Automatic Solvency Checker to halt as soon as a solvency is detected (pro-actively and re-actively)" They'll also be adding a "Node Operator Timeout [so that] any node can call to time-out the network for 25 mins if they suspect anything. This gives an ability for each of the 36 Node Operators to timeout an attack when they observe it." And "Outbound Throttling [so] the txOut queue is throttled to artificially delay the settlement of transactions when there are sudden spikes."

 

"Both Trail of Bits and Halborn Security are underway with two simultaneous audits." The project also plans to "[c]ommission a Bounty Program with Immunify." and "a Red Team with Halborn Security." ThorChain is also "[e]ngag[ing] with DeFi Insurance Protocols [in an] attempt to insure the entire protocol." "Whilst the treasury is able to cover the insolvencies, the treasury won’t exist forever. The solution is to insure all non-RUNE TVL with a DeFi Insurance Provider, using collateral and income from the system’s own reserves."

 

"Assuming all the Fixes are in place, the network is bought back online and is solvent, and can achieve stability, the timeline to Mainnet should be expect to be EoY 2021 or early 2022. Mainnet is simply the definition that the network is stable and secure."

ThorChain is a decentralized protocol for swapping assets between blockchains. As part of this protocol, a large number of tokens are stored in smart contract hot wallets. The protocol contained multiple vulnerabilities, including an issue where the attacker was able to create a malicious router, which could be used to fake the deposit of ERC20 tokens, which could later be withdrawn.

 

The ThorChain protocol plans to fully reimburse all affected users. They also have a number of upgrades to the code and process to find exploits, reduce the probability of a future exploit, and cover losses.

HOW COULD THIS HAVE BEEN PREVENTED?

The primary issue with ThorChain was having almost all balances of tokens in a hot wallet. While all measures employed will reduce the possibility of future failures, there is no way to prove with certainty that a hot wallet or smart contract is completely secure.

 

A more secure model would place the majority of funds in a multi-sig requiring the signatures of multiple known node operators, who know how to properly secure the keys offline. Funds could be released as needed for immediate liquidity, with a smaller balance at risk in the insured smart contract hot wallet.

 

Check Our Framework For Safe Secure Exchange Platforms

SlowMist Hacked - SlowMist Zone (May 17)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10)
PublicReports/Thorchain_Incident_Analysis_July_23_2021.pdf at master · HalbornSecurity/PublicReports · GitHub (Aug 10)
Rekt - THORChain - REKT 2 (Aug 10)
Thorchain was hacked TWICE last month. Once on July 15th for 7 million dollars, and the other time on July 22nd for 8 million dollars. You would think that would cause a dump, right? Nope, this is crypto, fundamentals don't matter! It's up over  (Aug 15)
Blockchain Protocol Thorchain Suffers $8M Hack (Aug 26)
@THORChain Twitter (Aug 26)
Rekt - THORChain - REKT (Jul 29)
THORChain Suffers a $7.8 million Dollar Attack. How a $1.4 billion Blockchain Behemoth Steadies the Ship.  (Aug 15)
Thorchain Trolled by Hacker After Two Successful Seven-Figure Exploits – News Bitcoin News (Aug 15)
Dive Into DeFi: THORChain's Road to Asgardex (Aug 15)
Post Mortem Eth Router Exploits 1 2 And Premature Return To Trading Incident (Aug 26)
fix #923: chainclients: ethereum: block scanner: match logs address (not tx to) to smart contract addresses (!1692) · Merge requests · THORChain / THORNode · GitLab (Aug 26)
bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go · develop · THORChain / THORNode · GitLab (Aug 15)
Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Jul 14)
THORChain Hacks - What you want to know! - YouTube (Jan 16)
Thorchain hit by third attack in a month, incurs over $13 million in losses  (May 7)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.