$7 600 000 USD

JULY 2021

GLOBAL

THORCHAIN

DESCRIPTION OF EVENTS

"Creating a secure cross-chain bridge is one of the most important milestones for the industry right now, and the race is on to be the first to provide it." "Founded in 2018, THORChain is a cross-chain exchange that facilitates transactions between the Binance, Ethereum, and Bitcoin blockchains, aiding in a difficult problem of inter-blockchain swaps without being compelled to pay sizable fees each time. This represents a tremendous pain point and the efforts of THORChain have been well-received, pushing up a token from a low of $0.00851264, two years ago, to a high of $20.89 two months ago." "THORChain entered into its guarded “Chaosnet” launch during April, facilitating cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash and Binance Chain networks."

 

"THORChain don't have assets synthetically tied to a price using an oracle, rather arbitrage trading bots and individuals, seeking to squeeze a profit from the price differences of an individual cryptocurrency on different blockchains, keep the liquidity pool's volume high in the midst of regularly large price swings. Passive liquidity providers earn a steady stream of rewards, often representing an APR of 10%+, even after technical considerations like "impermenant loss" that chips away at total return if the tokens, when removed from the liquidity pool, that aren't at 100% at the same radio value as when you first staked them."

 

"The THORChain state machine and the BNB Bifrost Code was audited as part of Single Chain Chaosnet, but the updated MCCN state machine and its new MCCN Bifrosts were not."

 

"Even the old gods cannot escape the exploits. As the cross-chain attacks continue, THORChain becomes the latest victim. $5 million lost." "Estimates as to the scale of the damage vary, with THORChain revising the initial estimate that 13,000 Ether (ETH) (worth $25.1 million) had been stolen, bringing the total down to 4,000 ETH (roughly $7.6 million) as a ballpark for damages. A subsequent community-provided rundown of stolen assets suggests the figure is closer to $6 million." "The final sum was confirmed to be approximately $4.9 million."

 

"According to ThorChain’s preliminary incident report, the bug was located within the ETH Bifrost (bridge) code." "The code contains an over-ride loop, designed only for use in vaultTransferEvent transactions, which the hacker was able to manipulate. The hacker was able to wrap the router with their own contract, allowing them to access this over-ride."

 

"The attacker deployed a contract that sat in front of the Router, which was able to call the deposit() function of the Router. The ability for the Router to be wrapped was recently made available to support ecosystem development. The full scope of this was not assessed thoroughly at the time. The attack contract simply diverted the msg.value back to themselves, calling with a value of 0 into the Router. The Bifrost read the msg.value instead of the emitted deposit event. This is necessary to support Router upgrades, but should not have been for deposit events."

 

"Pool prices of various ETH-based assets were manipulated. Ether hit ~$350. YFI hit ~$259,640. Rune on Thorchain @ $4.66, on Binance RUNEUSDT @ $5.373 (7:44pm UTC). [The a]ttacker sent ETH from his `0x3a19` address to his smart contract. His smart contract returned his ETH to his `0x3a19` address. ETH pool LPs see an excess of ETH but are missing RUNE." "The 2,500 ETH was used in a looped fashion, triggering the exploit again each time this ETH was refunded. Because the pools use RUNE to exchange value between each other, when the asset's price went up and ETH's price went down."

 

"Targeted token LPs are missing the token, but should be excess in RUNE. Network solvency shows to be negative around 13,000 ETH but the hacker retains around 2,500 ETH, 57,975.33 SUSHI, 8.7365 YFI, 171,912.96 DODO, 514.519 ALCX, 1,167,216.739 KYL, and 13.30 AAVE."

 

"Many users are shocked and alarmed by this exploitation." "The price of RUNE, the native token of decentralized finance (DeFi) liquidity protocol Thorchain, dropped by about 15% [the ]day following [the] attack."

 

"THORChain has been scrambling to defend its position amid growing concern among token holders."

 

“When a centralised exchange is hacked, users don’t find out months later until their withdrawals are blocked or delayed. When THORChain suffers insolvency, everyone immediately knows. Which do you prefer?”

 

"ShapeShift CEO Erik Voorhees was one of them, but he lamented on his loss while remaining upbeat."

 

“Lost a bunch on my RUNE position today. Worth it. We’re in this for the long-term. Cross-chain decentralized trading with no intermediaries is worth a great many stumbles. Expect chaos during chaosnet.”

 

”The fix is to make the over-ride only happen if it specifically is a vaultTransferEvent” "THORChain has since tweeted that its preliminary roadmap to recovery is underway, announcing that after the vulnerability is patched and the network is restarted."

 

"Once 67% had updated, the network restarted and began processing txIns . What wasn’t planned was that ETH LPs began withdrawing asymmetrically to ETH take advantage of the fact that they were getting a claim on 13k ETH, when there was only 700 ETH. The correct response to this was to ask Nodes to shut down their Bifrosts to stop the withdrawals (the system was rapidly becoming insolvent), OR, have in place a mimir to halt withdrawals. This mimir setting hadn’t been built because of the system’s philosophy to never block withdrawals."

 

"In the heat of the moment the on-duty mimir admin incorrectly inferred that the response was to enable trading to correct the ETH price to stop the abuse from ETH LPs. This was as per the brief, but it was premature, since the ETH price hadn’t yet been updated from the store migration. The end result was that trading being re-enabled caused arbitrage agents to buy cheap ETH, instead of selling expensive ETH. By buying the cheap ETH, the remaining ETH in the system was taken and the network went insolvent." "Nodes were asked again to halt."

 

"In the THORChain community Telegram channel, administrators have indicated the project has the funds needed to cover users’ stolen assets but articulated a preference for the hacker to return the stolen funds in exchange for a bug bounty." "The team further explained that Thorchain’s treasury is likely the only entity that will bear the burden after the attack since its funds will be used to donate approximately $5 million worth of digital assets to Ethereum liquidity providers."

 

“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched & the network resumes.”

 

"Ether will be donated to liquidity provider pools to reimburse impacted users. From there, the team plans to engage security firms to have its contracts audited."

ThorChain is a new form of decentralized exchange. The ThorChain funds were stored in smart contract hot wallets, a small portion of which had recently been upgraded. The new contract unfortunately had a mistake which allowed the hacker to override the contract and steal funds from multiple protocols.

HOW COULD THIS HAVE BEEN PREVENTED?

The primary issue with ThorChain is having almost all balances of tokens in a hot wallet. While all measures employed will reduce the possibility of future failures, there is no way to prove with certainty that a hot wallet or smart contract is completely secure.

 

A more secure model would place the majority of funds in a multi-sig requiring the signatures of multiple known node operators, who know how to properly secure the keys offline. Funds could be released as needed for immediate liquidity, with a smaller balance at risk in the insured smart contract hot wallet.

 

Check Our Framework For Safe Secure Exchange Platforms

Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Jul 15)
Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Jul 15)
SlowMist Hacked - SlowMist Zone (May 18)
Rekt - THORChain - REKT (Jul 30)
Address 0x3a196410a0f5facd08fd7880a4b8551cd085c031 | Etherscan (Aug 16)
THORChain Exploiter - Contract | 0x4a33862042d004d3fc45e284e1aafa05b48e3c9c (Aug 16)
Address 0x4b713980d60b4994e0aa298a66805ec0d35ebc5a | Etherscan (Aug 16)
bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go · develop · THORChain / THORNode · GitLab (Aug 16)
THORChain loses up to $7.6M in ‘Chaosnet’ exploit, offers hacker a bounty to return funds (Aug 16)
@THORChain Twitter (Aug 16)
@THORChain Twitter (Aug 16)
@ChrisBlec Twitter (Aug 16)
Thorchain was hacked TWICE last month. Once on July 15th for 7 million dollars, and the other time on July 22nd for 8 million dollars. You would think that would cause a dump, right? Nope, this is crypto, fundamentals don't matter! It's up over  (Aug 16)
Thorchain’s RUNE Token Slides 15% Following Multi-Million Dollar Exploit - Decrypt (Aug 16)
@THORChain Twitter (Aug 16)
THORChain Suffers a $7.8 million Dollar Attack. How a $1.4 billion Blockchain Behemoth Steadies the Ship. (Aug 16)
ThorChain’s "Chaosnet" Initially Reports a $25 Million Hack but Revised it to $4.9 Million Upon Investigation (Aug 16)
Thorchain Trolled by Hacker After Two Successful Seven-Figure Exploits – News Bitcoin News (Aug 16)
Dive Into DeFi: THORChain's Road to Asgardex (Aug 16)
Post Mortem Eth Router Exploits 1 2 And Premature Return To Trading Incident (Aug 27)
fix #923: chainclients: ethereum: block scanner: match logs address (not tx to) to smart contract addresses (!1692) · Merge requests · THORChain / THORNode · GitLab (Aug 27)
THORChain Hacks - What you want to know! - YouTube (Jan 16)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.