Thala Labs V1 Farming Contract Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Thala Labs Logo/Homepage

Thala Labs forms a backbone of the Aptos blockchain, offering liquidity, staking, swapping, and a stablecoin for the ecosystem. On November 15th, 2024, the protocol was successfully attacked and drained for $25.5m USD worth of funds. The protocol managed to identify the hackers and obtained a return of all funds except for a $300k bounty. They relaunched their application with all assets backed and will bring staking/unstaking back online following a proper security audit.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About Thala Labs

"Thala Labs provides an automated market maker and a yield-bearing stablecoin for the Aptos ecosystem known as the Move Dollar (MOD), named after Aptos' programming language. The protocol has the fourth-highest total value locked (TVL) of any DeFi protocol on Aptos, according to DefiLlama data."

"Thala is a suite of decentralized finance (DeFi) primitives serving as the backbone of the Aptos ecosystem. The protocol revolves around three modules: AMM, CDP, and LST."

"Thala Swap is an automated market maker (AMM) that offers a range of advanced features and pool types to facilitate efficient liquidity provision and optimization. The protocol supports stable pools and weighted pools, which enables more flexible and tailored liquidity pools –– including liquidity bootstrapping pools (LBPs) to facilitate token launches. The Thala AMM unlocks composability and enables greater internal liquidity within the Thala ecosystem, providing a foundation for the growth and development of the broader Aptos and Move ecosystem."

"Move Dollar (MOD) is an over-collateralized, yield-bearing stablecoin designed for the Aptos ecosystem. It is backed by a diverse basket of on-chain assets, including liquid staked derivatives, liquidity pool tokens, deposit receipt tokens, and real-world assets (RWAs). This diverse collateral base ensures that MOD remains decentralized, censorship-resistant, and capital-efficient."

"Thala's Aptos (APT) liquid staking derivative follows a two-token model to enable greater yields relative to native staking. thAPT is a non-rebasing deposit receipt that is pegged to APT at a 1:1 ratio, while sthAPT is a rebasing deposit receipt that grows as validator rewards accrue over time."

The Reality

The Thala Labs smart contract was closed source and they did not have a bug bounty program, preventing the community from constructively discovering the vulnerability.

What Happened

"The Aptos-based DeFi project Thala suffered a security breach as a result of an isolated vulnerability in the latest update to v1 farming contracts, allowing the exploiter to withdraw liquidity pool tokens totaling $25.5m."

Key Event Timeline - Thala Labs V1 Farming Contract Vulnerability
Date Event Description
November 15th, 2024 7:25:36 AM MST Attacker Funds Account The attacker funds their Aptos wallet in preparation for the attack.
November 15th, 2024 12:32:09 PM MST Funds Returned By Attacker The funds were returned to the Thala Labs treasury account.
November 16th, 2024 1:33:00 AM MST Thala Team Tweet Thala posted an update to Twitter/X, reporting the losses were due to a vulnerability in the latest update to their v1 farming contracts, resulting in the theft of $25.5 million in liquidity pool tokens. The team quickly paused all affected contracts, froze $9 million in MOD and $2.5 million in THL tokens, and, with law enforcement's help, identified the exploiter and negotiated a $300k bounty for the full recovery of user assets. Affected users need not take any action, and their positions will be fully restored. The Thala frontend and relevant contracts remain paused for security, but CDP and LST module positions are unaffected. An extensive codebase review and re-audit are underway, with further updates to follow.
November 16th, 2024 11:22:00 PM MST Application Is Back Live Thala Finance announces that their application is once again live, however the staking and unstaking functions will not be possible until an audit has been completed.

Technical Details

"The farming contract didn’t validate input values correctly, allowing the attacker to bypass standard checks."

"The Thala hack was made possible by a vulnerability in a recent update to the project’s smart contract code. A missing sanity check for withdrawing staked assets — validating that the user in question actually had a stake of the requested size — could have cost the project $25.5 million and ended up with a price tag of $300,000 in bounty payments."

Total Amount Lost

"The hacker stole $9 million worth of MOD tokens and $2.5 million worth of Thala's native governance token, THL, which the protocol was able to freeze."

The total amount lost has been estimated at $25,500,000 USD.

Immediate Reactions

"Thala has since paused all related contracts and frozen Thala token assets ($9m MOD and $2.5m THL). With the assistance of other organizations, the team identified the exploiter and negotiated a $300k bounty for a full recovery of user assets."

Ultimate Outcome

"[SEAL 911] identified the white hat hacker within minutes (i.e. name, location etc.) due to obvious onchain links. Fortunately, the white hat hacker reached out themselves a little bit later and returned the funds minus a bounty themselves," SEAL 911 member @pcaversaccio said. "It was a very easy win in that case, since no real negotiation was needed."

"While the hacked funds were fully recovered, the Thala token is still down about 35% since the incident occurred."

A bounty of $300,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $25,200,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @thalalabs Twitter (Accessed Dec 20, 2024)
  2. Thala Labs - Decentralized. Scalable. Liquid (Accessed Dec 20, 2024)
  3. Thala Protocol | Thala (Accessed Dec 20, 2024)
  4. @ThalaLabs Twitter (Accessed Dec 20, 2024)
  5. Explained: The Thala Hack (November 2024) (Accessed Dec 20, 2024)
  6. Breaking Down the Thala DeFi Hack & Move's Decompilation Risks (Accessed Dec 20, 2024)
  7. https://cointelegraph.com/news/thala-recovers-25-million-exploiter-hacker-caught (Accessed Dec 20, 2024)
  8. Thala Protocol’s Recovery from a $25M Exploit | by Ramprasad goud | Dec, 2024 | Medium (Accessed Dec 20, 2024)
  9. https://www.theblock.co/post/326937/defi-protocol-thala-recovers-25-million-following-successful-hacker-negotiation (Accessed Dec 20, 2024)
  10. @moon_shiesty Twitter (Accessed Dec 20, 2024)
  11. DeFi Resilience: The Thala Labs Case Study - OneSafe Blog (Accessed Dec 20, 2024)
  12. Thala Labs loses, then recovers, $25.5 million (Accessed Dec 20, 2024)
  13. Aptos Explorer (Accessed Dec 20, 2024)
  14. Aptos Explorer (Accessed Dec 20, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Thala_Labs_V1_Farming_Contract_Vulnerability&oldid=6406"