THORChain hit by another exploit; loses up to $7.6M
With the emergence of cryptocurrencies, also came a corresponding rise in ransomware attacks. Several security loopholes in the cryptocurrency space in general, and smart contract platforms in particular, have come to light over the last few years. Once hailed as foolproof, blockchains have fallen fall prey to illicit activities, an assertion evidenced by the numerous scams and fraudulent activities that ensued.
The latest to fall victim to the same is THORChain, a popular cross-chain decentralized exchange. It’s in the news today after an exploit drained millions of dollars from the network. The community’s Telegram group initially pegged the loss at about 13,000 ETH (around $25 million). Later, however, this was revised on Twitter, with the project claiming,
“At this stage, the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be made whole in the coming weeks.”
The fiat equivalent of the same stood at around $7.6 million. On the other hand, as per the THORChain community’s Telegram channel, the administrators estimated the illicit hack cost $4.9 million. In addition to this, its members were reassured by the project as well.
“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss the return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched and the network resumes.”
How did it happen?
As per an initial analysis report released by THORChain’s executives in a series of tweets,
Initial Assessment. 1) ETH Bifrost was recently updated to allow the router to be "wrapped" by contracts (to allow composability)https://t.co/GXclWbPgP22) The attacker then tricked the Bifrost by using a custom wrapper contract, when they actually transferred 0 ETH https://t.co/TlcNkO9PMj— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 16, 2021
Moreover, a reality check and analysis that was posted as a response to this event on Twitter, included both aspects, good and bad.
“The first post-mortem statement. Which as would expect has good and bad elements:
GOOD: found the bug, caused by an obscure edge case exploited by the hacker, and it’s easy to fix
BAD: lost a notable amount of $$ and need to work up the best plan to true up all affect users”
The said post also attached a quick overview of the aforementioned development.
THORChain released the following preliminary roadmap to recovery.
This is a disappointing moment for all, but LPs and Nodes should be unaffected after all is recovered (the funds will be restored). The network will be stronger and more resilient.— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 16, 2021
At the time of writing, the platform remained suspended until further notice.
THORChain’s trading operations are carried out using its native token, RUNE, in every trade. Even though it might include a double swap for exchanging one token for another (e.g. BTC to ADA, first BTC to RUNE, and then RUNE to ADA), the entire concept of ‘decentralization’ remains intact.
Eric Voorhees, the Founder of ShapeShift, remains undeterred, irrespective of the loss. He tweeted,
“Lost a bunch on my RUNE position today. Worth it. We’re in this for the long term. Cross-chain decentralized trading with no intermediaries is worth a great many stumbles. Expect chaos during chaosnet.”
DeFi Watch Founder Chris Blec also shared his optimism and put forward his vote of confidence.
Keep in mind – THORchain has been responsibly using a guarded launch approach to its rollout. This exploit could have been *much worse* if they had just recklessly launched without caps on its liquidity pools.— Chris Blec (@ChrisBlec) July 15, 2021
Having said that, this isn’t the first such incident for THORChain. During its Chaosnet deployment, it had lost around $140,000 worth of assets over the previous month. At the time, the project had claimed it was “very mature and resilient.”
Subscribe to our NewsletterSource