ThorChain ETH Router Flaw

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

ThorChain

ThorChain is a decentralized protocol for swapping assets between blockchains. As part of this protocol, a large number of tokens are stored in smart contract hot wallets. The protocol contained multiple vulnerabilities, including an issue where the attacker was able to create a malicious router, which could be used to fake the deposit of ERC20 tokens, which could later be withdrawn.

The ThorChain protocol plans to fully reimburse all affected users. They also have a number of upgrades to the code and process to find exploits, reduce the probability of a future exploit, and cover losses.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About ThorChain

"THORChain (RUNE) [is] a decentralized cross-chain transaction protocol." "Creating a secure cross-chain bridge is one of the most important milestones for the industry right now, and the race is on to be the first to provide it." "Founded in 2018, THORChain is a cross-chain exchange that facilitates transactions between the Binance, Ethereum, and Bitcoin blockchains, aiding in a difficult problem of inter-blockchain swaps without being compelled to pay sizable fees each time. This represents a tremendous pain point and the efforts of THORChain have been well-received, pushing up a token from a low of $0.00851264, two years ago, to a high of $20.89 two months ago." "THORChain entered into its guarded “Chaosnet” launch during April, facilitating cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash and Binance Chain networks."

"THORChain don't have assets synthetically tied to a price using an oracle, rather arbitrage trading bots and individuals, seeking to squeeze a profit from the price differences of an individual cryptocurrency on different blockchains, keep the liquidity pool's volume high in the midst of regularly large price swings. Passive liquidity providers earn a steady stream of rewards, often representing an APR of 10%+, even after technical considerations like "impermenant loss" that chips away at total return if the tokens, when removed from the liquidity pool, that aren't at 100% at the same radio value as when you first staked them."

"Following last week's hack, Thorchain said it had been audited by multiple blockchain security companies to locate bugs in a given network." "There were really only two options. Launch and accept the risk of issues, or not launch and stay in the 90% complete audit-review cycle for another six months. Both are difficult," Thorchain said." "The THORChain state machine and the BNB Bifrost Code was audited as part of Single Chain Chaosnet, but the updated MCCN state machine and its new MCCN Bifrosts were not. They were scheduled in with TrailOfBits, which unfortunately had not begun at the time of the first Exploit."

"THORChain (RUNE) said it was attacked again, and many ERC20 tokens including XRUNE were affected. This attack targeted ETH routing and lost 8 million U.S. dollars." For ThorChain, this was "its third critical attack in a month." "An attacker tricked the Bifröst protocol into accepting a fake deposit, then received a refund for the assets even though it hadn't deposited any to the protocol."

"THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat." "THORChain suffered two back to back exploits. The first took all the ETH from the system via an attack contract that sat in front of the Router, and the second took all the economically significant ERC20s via an attack contract that sat behind the router."

"The team behind the project took to Twitter to announce that a hacker had carried out a “sophisticated attack” earlier this morning. The hacker used their own contract to trick THORChain’s Bifröst protocol into accepting a deposit of assets even though they hadn’t made any deposit. This essentially meant that they could receive a free refund without adding any funds to the protocol." "In both cases the exploits were able to trick the Bifrost into reporting receiving assets it had not. The root cause was a Bifrost interface that did not fully account for the degrees of manipulation that can occur in smart contract events."

"What was unknown at the time, was that there was another critical vulnerability in the ETH Router. The attacker created a fake router, then a deposit event emitted when the attacker sent ETH. The attacker passes returnVaultAssets() with a small amount of ETH, but the router is defined as an Asgard vault. On the Thorchain Router, it forwarded ETH to the fake Asgard. This creates a fake deposit event with a malicious memo. The Bifrost intercepts as a normal deposit and refunds to an attacker due to a bad memo definition."

"THORChain says the attacker made off with around $8 million." "Impact (~$8M USD) 966.62 ALCX 20,866,664.53 XRUNE 1,672,794.010 USDC 56,104 SUSHI 6.91 YFI 990,137.46 USDT" "The hacker left a note suggesting that they could have taken more than $8 million, adding that they spotted “multiple critical issues.”" "The attacker "intentionally limited the impact of the attack, which seems to be done by a white hat."" "THORChain said that the hacker was “seemingly a whitehat” because they made less impact than they could have done, and revealed that the hacker had requested a 10% bounty that would be awarded if they reach out."

“Could have taken ETH, BTC, LYC, BNB, and BEP20s if waited Wanted to teach lesson minimizing damage. Multiple critical issues. 10% VAR bounty would have prevented this. Disable until audits are complete. Audits are not a nice to have. Do not rush code that controls 9 figures.”

"The THORChain team and community have kicked off a 5-Pronged Plan to address, fix and recover." "ETH will be halted until it can be peer-reviewed with audit partners, as a priority. LPs in the ERC-20 pools will be subsidised." "The THORChain treasury will cover all losses to LPs. Nodes are not affected."

"The network has a ~$16m insolvency to deal with. The plan is: 1/3rd ($5.3m) will be directly contributed from the treasury assets, 1/3rd ($5.3m) will be loaned from Iron Bank using RUNE collateral and paid off later, and 1/3rd ($5.3m) will be arbed into the network after it is brought back online for trading."

The code will undergo the addition of an "Automatic Solvency Checker to halt as soon as a solvency is detected (pro-actively and re-actively)" They'll also be adding a "Node Operator Timeout [so that] any node can call to time-out the network for 25 mins if they suspect anything. This gives an ability for each of the 36 Node Operators to timeout an attack when they observe it." And "Outbound Throttling [so] the txOut queue is throttled to artificially delay the settlement of transactions when there are sudden spikes."

"Both Trail of Bits and Halborn Security are underway with two simultaneous audits." The project also plans to "[c]ommission a Bounty Program with Immunify." and "a Red Team with Halborn Security." ThorChain is also "[e]ngag[ing] with DeFi Insurance Protocols [in an] attempt to insure the entire protocol." "Whilst the treasury is able to cover the insolvencies, the treasury won’t exist forever. The solution is to insure all non-RUNE TVL with a DeFi Insurance Provider, using collateral and income from the system’s own reserves."

"Assuming all the Fixes are in place, the network is bought back online and is solvent, and can achieve stability, the timeline to Mainnet should be expect to be EoY 2021 or early 2022. Mainnet is simply the definition that the network is stable and secure."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - ThorChain ETH Router Flaw
Date Event Description
July 22nd, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $8,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The primary issue with ThorChain was having almost all balances of tokens in a hot wallet. While all measures employed will reduce the possibility of future failures, there is no way to prove with certainty that a hot wallet or smart contract is completely secure.

A more secure model would place the majority of funds in a multi-sig requiring the signatures of multiple known node operators, who know how to properly secure the keys offline. Funds could be released as needed for immediate liquidity, with a smaller balance at risk in the insured smart contract hot wallet.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  2. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  3. PublicReports/Thorchain_Incident_Analysis_July_23_2021.pdf at master · HalbornSecurity/PublicReports · GitHub (Aug 11, 2021)
  4. Rekt - THORChain - REKT 2 (Aug 11, 2021)
  5. Thorchain was hacked TWICE last month. Once on July 15th for 7 million dollars, and the other time on July 22nd for 8 million dollars. You would think that would cause a dump, right? Nope, this is crypto, fundamentals don't matter! It's up over (Aug 16, 2021)
  6. Blockchain Protocol Thorchain Suffers $8M Hack (Aug 27, 2021)
  7. @THORChain Twitter (Aug 27, 2021)
  8. Rekt - THORChain - REKT (Jul 30, 2021)
  9. THORChain Suffers a $7.8 million Dollar Attack. How a $1.4 billion Blockchain Behemoth Steadies the Ship. (Aug 16, 2021)
  10. Thorchain Trolled by Hacker After Two Successful Seven-Figure Exploits – News Bitcoin News (Aug 16, 2021)
  11. Dive Into DeFi: THORChain's Road to Asgardex (Aug 16, 2021)
  12. Post Mortem Eth Router Exploits 1 2 And Premature Return To Trading Incident (Aug 27, 2021)
  13. fix #923: chainclients: ethereum: block scanner: match logs address (not tx to) to smart contract addresses (!1692) · Merge requests · THORChain / THORNode · GitLab (Aug 27, 2021)
  14. bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go · develop · THORChain / THORNode · GitLab (Aug 16, 2021)
  15. Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Jul 15, 2021)
  16. THORChain Hacks - What you want to know! - YouTube (Jan 16, 2022)
  17. Thorchain hit by third attack in a month, incurs over $13 million in losses (May 7, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ThorChain_ETH_Router_Flaw&oldid=4160"