A Hattrick of Attacks: Thorchain (RUNE) Exploited, Yet Again, for $8 Million
Decentralized exchange (DEX) Thorchain suffered a “sophisticated” attack that led to a loss of about $8 million just a week after being exploited for $5 million. This year alone, the exchange has been attacked three times.
This time, the attack was on the ETH Router, and a whitehat hacker deliberately limiting their impact.
As a result, the network halted the ETH Router until it could be peer-reviewed by audit partners on priority. The exchange announced that liquidity providers (LPs) in the ERC-20 pools would be subsidized.
“Thorchain has had a horrible month, not going to sugar coat it. Bleh. The project needs to slow down. Time to take the tortoise strategy. Regardless, I remain a committed supporter and am glad these issues are being discovered during chaosnet,” said Erik Voorhees, CEO of cryptocurrency exchange ShapeShift, which recently announced the dissolution of the company to become a DAO.
The team said the plan is to keep the network chain halted and review all chain clients internally and externally. Once solvency is restored and everyone is satisfied, then restart it.
Thorchain further assured from Twitter that no loss had been suffered by LPs to date, with the treasury bearing the burden. The team noted that while a painful lesson, “that's what was chosen when Chaosnet was launched.”
Erik Voorhees CEO of ShapeShift
“To be fair here, ultimately, the real test always has to happen in public, with real money involved. Everything else is just playing. No public money has been lost, as the treasury of the project is covering these hacks. That doesn't mean it's okay, though.”
THORChain gives its LPs the First Class treatment.
– Insures their funds ✅
– Pays them block rewards whilst the network is halted ✅
There's nothing quite like it.
— THORChain (@THORChain) July 23, 2021
Thorchain further shared on Twitter that it will be awarding the whitehat hacker the requested 10% bounty if they reach out, which they encourage them to do so.
According to a message shared in the project’s Discord, the hacker claimed to have deliberately minimized the exploit to teach Thorchain a lesson, saying they could have stolen Bitcoin (BTC), Ether (ETH), Binance Coin (BNB), Lycancoin, and many BEP-20 tokens if they had wanted to.
BTC 2.32% Bitcoin / USD BTCUSD $ 48,294.20
$1,120.432.32% Volume 28.45 b Change $1,120.43 Open $48,294.20 Circulating 18.82 m Market Cap 908.88 b 1 d Stablecoins Come Under Scrutiny As Regulators Rev Up Crypto Clampdown Efforts 1 d Interactive Brokers Founder Already Red Pilled, Has Been “Itching” to Offer Crypto Trading for a Long Time 1 d Visa’s Head of Crypto Inquires About Solana (SOL), PayPal Officially Enables Crypto Trading for UK Customers ETH 0.62% Ethereum / USD ETHUSD $ 3,430.62
$21.270.62% Volume 15.91 b Change $21.27 Open $3,430.62 Circulating 117.58 m Market Cap 403.37 b 1 d Interactive Brokers Founder Already Red Pilled, Has Been “Itching” to Offer Crypto Trading for a Long Time 1 d Visa’s Head of Crypto Inquires About Solana (SOL), PayPal Officially Enables Crypto Trading for UK Customers 1 d Trezor Adds EIP-1559 Support to its Model T Wallet, $1 Billion Worth of ETH Burned BNB 1.31% Binance Coin / USD BNBUSD $ 411.21
$5.391.31% Volume 1.31 b Change $5.39 Open $411.21 Circulating 168.14 m Market Cap 69.14 b 1 d It Isn’t Layer 1 or Layer 2, It’s Time for LayerZero 1 w Solana (SOL) Pulls Over A 100x in 2021, Rising to the Top to Fight Ethereum 1 w Blockchain Platform Lido Now Supports Solana (SOL) Staking
The hacker further said they found “multiple critical issues” and that a 10% bug bounty could have prevented the incident.
“Do not rush code that controls nine figures,” the hacker said, “Disable until audits are complete.”
In April, Thorchain finally launched its multi-chain Chaosnet after three long years of development.
“The complexity of the state machine is currently its Achille's heel, but this can be solved with more eyes on, as well as a re-think in developer procedures and peer-review.”
This hack resulted in RUNE’s price dropping 26.5%, recovering to about $4, down 82% from its May peak of nearly $21.