The THORChain protocol has lost, according to preliminary estimates, about $4.9 million in cryptocurrency due to a hacker attack. To contain the incident’s consequences, all network operations have been suspended by node consensus.
1/5 @THORChain Exploit Update :
Loss:
Approx ~$4.9mm USD was taken in the exploit, far less than the intitial figures posted earlier. A granular breakdown is being developed by the community.— THORchain.BULL (@THORmaximalist) July 16, 2021
DeFi-project THORChain — a liquidity protocol that enables swapping assets across different blockchains without transferring them to a third party.
Earlier the project team reported that attackers withdrew 13,000 ETH (~$24.76 million at the time of writing). This amount was later revised down to 4,000 ETH (~$7.62 million).
At this stage the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH.
More detailed assessment and recovery steps will be announced soon.
The users who suffered (LPs) will be made whole in the coming weeks. https://t.co/LR2x8VZ2kx
— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 15, 2021
According to data gathered by the community, the damage proved to be lower — under $5 million. At the address marked by Etherscan as implicated in the attack, assets worth $4.58 million are held.
The community put together a doc on the attack on @THORChain today. If you add up the assets stolen, it amounts to less than $5m USD.https://t.co/y2n7scjls7
— Chad Barraford #BRINGTHECHAOS (@CBarraford) July 16, 2021
The project team promised to provide a detailed post-mortem once all details are known. It is known that the attackers managed to “deceive” the Bifrost service, responsible for connecting nodes to blockchains and implementing witness transactions.
2/5 Method:
ETH Bifrost was tricked using a custom wrapper to read a deposit amount of 200 when it was actually zero. More details will be provided in the upcoming post mortem blog.
— THORchain.BULL (@THORmaximalist) July 16, 2021
“ETH Bitfrost was deceived by a custom wrapper that caused it to read the deposit amount as 200, when in fact it was zero,” said a community member under the handle THORchain.BULL.
The project’s CTO Chad Barraford said the team has already found a bug in the codebase and proposed a protocol improvement. If the community approves the changes, within 24 hours developers will implement the patch and resume network operations.
The bug in the code has been found by the team and a PR has already been opened to resolve the prob. If the community approves the change, the fix to @THORChain will be pushed out and trading resumed in ~24hrs I’m guessing. $RUNEhttps://t.co/g3AYszG8Gi
— Chad Barraford #BRINGTHECHAOS (@CBarraford) July 16, 2021
The team noted that THORChain’s reserve fund will be sufficient to cover losses to Ethereum liquidity providers. However, developers asked the attackers’ organizers to get in touch with them to discuss returning funds and paying adequate rewards for discovering the vulnerability.”
Developers also said that the attackers paid large fees — about $1.4 million to the nodes and another roughly $1.4 million to ERC-20 liquidity providers.
The attacker paid huge slip fees, approx $1.4m was captured by nodes, with further $1.4m by ERC20 LPs.
Only users affected are ETH LPs, and they will be made whole.
So despite the exploit, Nodes, LPs and Arbers will stand to profit considerably.
— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 16, 2021
THORChain stressed that the project is now operating on Chaosnet, its testnet designed for “battle testing,” and therefore the attacks “were inevitable and always calculated.”
Attacks on Thorchain were inevitable and always calculated with.
The protocol is being battle tested and will harden with each attack.
Rather 50 succesful attacks now than 1 a few years from now.
Fix and iterate, onwards $RUNE
— Bitcøin_Sage⚡ (@Bitcoin_Sage) July 16, 2021
“Better 50 successful attacks now than one in a few years,” said the developer with the handle Bitcoin_Sage.
The RUNE token ranks 64th on CoinGecko with a market capitalization of $1.3 billion. In the last 24 hours its price has fallen by more than 14%. At the time of writing the asset traded at $4.79.
Earlier, hackers drained more than $4 million in cryptocurrency from various DeFi projects due to a vulnerability in the ChainSwap cross-chain bridge’s smart contract.
Earlier in June the DeFi protocol SafeDollar on the Polygon blockchain was hacked, and its stablecoin devalued. Attackers exploited a vulnerability that allowed them to mint an unlimited amount of the asset.
Subscribe to ForkLog news on VK: VK.