QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$25 500 000 USD
NOVEMBER 2024
GLOBAL
THALA LABS
DESCRIPTION OF EVENTS

"Thala Labs provides an automated market maker and a yield-bearing stablecoin for the Aptos ecosystem known as the Move Dollar (MOD), named after Aptos' programming language. The protocol has the fourth-highest total value locked (TVL) of any DeFi protocol on Aptos, according to DefiLlama data."
"Thala is a suite of decentralized finance (DeFi) primitives serving as the backbone of the Aptos ecosystem. The protocol revolves around three modules: AMM, CDP, and LST."
"Thala Swap is an automated market maker (AMM) that offers a range of advanced features and pool types to facilitate efficient liquidity provision and optimization. The protocol supports stable pools and weighted pools, which enables more flexible and tailored liquidity pools –– including liquidity bootstrapping pools (LBPs) to facilitate token launches. The Thala AMM unlocks composability and enables greater internal liquidity within the Thala ecosystem, providing a foundation for the growth and development of the broader Aptos and Move ecosystem."
"Move Dollar (MOD) is an over-collateralized, yield-bearing stablecoin designed for the Aptos ecosystem. It is backed by a diverse basket of on-chain assets, including liquid staked derivatives, liquidity pool tokens, deposit receipt tokens, and real-world assets (RWAs). This diverse collateral base ensures that MOD remains decentralized, censorship-resistant, and capital-efficient."
"Thala's Aptos (APT) liquid staking derivative follows a two-token model to enable greater yields relative to native staking. thAPT is a non-rebasing deposit receipt that is pegged to APT at a 1:1 ratio, while sthAPT is a rebasing deposit receipt that grows as validator rewards accrue over time."
The Thala Labs smart contract was closed source and they did not have a bug bounty program, preventing the community from constructively discovering the vulnerability.
"The farming contract didn’t validate input values correctly, allowing the attacker to bypass standard checks."
"The Thala hack was made possible by a vulnerability in a recent update to the project’s smart contract code. A missing sanity check for withdrawing staked assets — validating that the user in question actually had a stake of the requested size — could have cost the project $25.5 million and ended up with a price tag of $300,000 in bounty payments."
"The hacker stole $9 million worth of MOD tokens and $2.5 million worth of Thala's native governance token, THL, which the protocol was able to freeze."
"Thala has since paused all related contracts and frozen Thala token assets ($9m MOD and $2.5m THL). With the assistance of other organizations, the team identified the exploiter and negotiated a $300k bounty for a full recovery of user assets."
"[SEAL 911] identified the white hat hacker within minutes (i.e. name, location etc.) due to obvious onchain links. Fortunately, the white hat hacker reached out themselves a little bit later and returned the funds minus a bounty themselves," SEAL 911 member @pcaversaccio said. "It was a very easy win in that case, since no real negotiation was needed."
"While the hacked funds were fully recovered, the Thala token is still down about 35% since the incident occurred."
Thala Labs forms a backbone of the Aptos blockchain, offering liquidity, staking, swapping, and a stablecoin for the ecosystem. On November 15th, 2024, the protocol was successfully attacked and drained for $25.5m USD worth of funds. The protocol managed to identify the hackers and obtained a return of all funds except for a $300k bounty. They relaunched their application with all assets backed and will bring staking/unstaking back online following a proper security audit.
@thalalabs Twitter (Dec 20)
Thala Labs - Decentralized. Scalable. Liquid (Dec 20)
Thala Protocol | Thala (Dec 20)
@ThalaLabs Twitter (Dec 20)
Explained: The Thala Hack (November 2024) (Dec 20)
Breaking Down the Thala DeFi Hack & Move's Decompilation Risks (Dec 20)
https://cointelegraph.com/news/thala-recovers-25-million-exploiter-hacker-caught (Dec 20)
Thala Protocol’s Recovery from a $25M Exploit | by Ramprasad goud | Dec, 2024 | Medium (Dec 20)
https://www.theblock.co/post/326937/defi-protocol-thala-recovers-25-million-following-successful-hacker-negotiation (Dec 20)
@moon_shiesty Twitter (Dec 20)
DeFi Resilience: The Thala Labs Case Study - OneSafe Blog (Dec 20)
Thala Labs loses, then recovers, $25.5 million (Dec 20)
Aptos Explorer (Dec 20)
Aptos Explorer (Dec 20)
