THORChain halts operations after a string of hacker attacks

The THORChain protocol team announced a halt to operations after several hacker attacks.

THORChain is the only decentralised liquidity network*

*currently paused.

But it’s about to become the most secure, only decentralised liquidity network.

THORChads are insanely focussed right now on nailing this.

And they deliver.

— THORChain (@THORChain) July 27, 2021

During first attack, attackers managed to deceive the Bifrost service, which is responsible for connecting nodes to blockchains and implementing witness transactions.

Several days later the protocol was again affected by hackers’ actions. Using a specially crafted contract, the attacker forced the THORChain protocol Bifrost to accept fake assets, and withdrew them as real assets.

There was also another method of fraud reported. Hackers conducted an airdrop of UniH tokens among 76,000 Ethereum addresses. However, the THORmaximalist Twitter account strongly advised ignoring the tokens, as after approving them for swap on Uniswap the contract would empty the user’s wallet.

Someone is airdropping UniH tokens to ETH adresses.

Just ignore : do not exchange them on UniSwap. If you approve it for swaping, the contract will drain your wallet.

— THORchain.BULL (@THORmaximalist) July 23, 2021

The token code for the project (RUNE) was built with a transferTo function that uses tx.origin instead of msg.sender. It allows any contract to take payment from a user without prior permission, explained ForkLog smart-contracts developer Alexey Matiyasyevich:

“The transferTo function additionally removes the balance from the original transaction sender regardless of who invoked it. In this case, the user sent the transaction to the contract, the contract called RUNE, and the balance was taken from the user”.

He noted that the simplest attack pattern is to disseminate malicious tokens to all RUNE holders, add a liquidity pool on Uniswap in a ETH pair to create a price for the tokens, and wait for the user to attempt to sell them.

Analyst Sergey Nedashkovsky said that a total of 20,422 RUNE were stolen from nine users:

“The attack method was triggered by 22 users, but only nine had a positive balance at the moment of the attack”.

The community discovered that THORChain’s team knew about the danger of using transferTo earlier, but did nothing.

One of the dumbest things I\’ve seen https://t.co/RQ6brLfj1t

— Igor Igamberdiev (@FrankResearcher) July 23, 2021

Before the halt was announced, project representatives signaled the addition of additional tools to protect against attacks, while adding:

“It is unrealistic that THORChain will never be subjected to attacks, but these tools will ensure that the damage from them will be reduced”.

Earlier in July, hackers exploited a critical vulnerability in the cross-chain bridge ChainSwap’s smart contract and moved more than $4 million from DeFi projects.

Read ForkLog’s bitcoin news in our Telegram — cryptocurrency news, prices and analysis.