DeFi darling ThorChain (RUNE) suffers $8m hack, its second in a week
Following the attacks, concerns mount over the network's long term viability. However, ThorChain says it won't break them as a project.
Cross-chain DeFi protocol ThorChain suffered an exploit in the early hours, resulting in the loss of $8 million.
At present, details of the incident are still under investigation. But devs believe this to be a “whitehat” attack. Meaning, it was done to highlight security vulnerabilities. As such, the team is hopeful for a return of funds.
THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat.
ETH will be halted until it can be peer-reviewed with audit partners, as a priority.
LPs in the ERC-20 pools will be subsidised.
— THORChain (@THORChain) July 23, 2021
Nonetheless, as the second such attack in a week, serious questions are being asked over the safeguards in place.
ThorChain under fire
According to Thorchain, the attacker’s point of attack centered around exploiting a vulnerability on the “ETH Router.”
“THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat. ETH will be halted until it can be peer-reviewed with audit partners, as a priority. LPs in the ERC-20 pools will be subsidised.“
The ETH router controls the movement of Ethereum-based tokens through ThorChains’s cross-chain decentralized exchange.
Earlier this month, ThorChain published an article titled “Post-mortem: ETH Router Upgrade,” in which they detailed the discovery of an ETH Router vulnerability by a whitehat hacker.
The piece says that the bug relates to ERC-777 tokens, which allow more complex functions than the standard ERC-20 tokens, in which a “hook” brings in a secondary deposit into the router. This vulnerability allows hackers to “double dip,” enabling the user to be credited with more than they should be.
After the discovery of the bug, ThorChain said they issued a patch to upgrade the router.
The precise details of this latest attack haven’t yet been disclosed. However, it’s discouraging to learn that the ETH Router, which they supposedly upgraded, was the point of vulnerability.
The attacker left a message saying they could have taken more than they did. According to Thorchain, they requested a 10% bounty, which they are willing to pay.
The whitehat requested a 10% bounty – which will be awarded if they reach out, and they should be encouraged to do so.
It is a tough time for the community and project, and the pain is real.
The treasury has the funds to cover, but it's time to slow down.
— THORChain (@THORChain) July 23, 2021
In response, the firm said they had ceased ETH Router functioning pending a review by audit partners.
$5 million also lost earlier this month
Just over a week ago, ThorChain suffered an attack in which hackers stole $5 million – a total of 2,500 Ether was taken by the hackers.
This attack was an exploit of the Bifröst Protocol, which ThorChain uses for the purposes of cross-chain compatibility.
In assessing the attack, ThorChain said the attacker had managed to trick Bitfrost using a “custom wrapper contract.” This allowed them to withdraw funds without sending any in the first place.
Initial Assessment.
1) ETH Bifrost was recently updated to allow the router to be "wrapped" by contracts (to allow composability)https://t.co/GXclWbPgP2
2) The attacker then tricked the Bifrost by using a custom wrapper contract, when they actually transferred 0 ETH https://t.co/TlcNkO9PMj— THORChain (@THORChain) July 16, 2021
The frequency of attacks on the ThorChain network has raised concerns within the crypto community about its viability. Nonetheless, ThorChain remains defiant in saying this won’t break the project or change its vision.