$5M in Ethereum Lost in THORChain Exploit
An attacker discovered a vulnerability in THORChain’s Chaosnet last night. It’s been estimated that they took around $4.9 million.
- THORChain has suffered an exploit on Chaosnet, resulting in losses of roughly $5 million for ETH liquidity providers.
- The THORChain team said that an attacker tricked the network's Bifröst protocol to send ETH to their own address.
- The liquidity providers will be reimbursed from the project's treasury.
Share this article
THORChain is the latest DeFi attack victim.
THORChain Pauses Network After Attack
THORChain has been exploited.
The DeFi network, which focuses on cross-chain interoperability between protocols like Bitcoin and Ethereum, announced that an attacker had discovered a vulnerability on its Chaosnet.
Initial estimates suggested that the assailant had taken 13,000 ETH worth $24.7 million, though THORChain’s has since taken to Twitter to say that the losses were closer to $5 million.
Aside from the liquidity providers who had locked ETH in the network, THORChain investors have also been hard hit: RUNE, the protocol’s native token, is down 14.9% at the time of writing, trading under $5 for the first time since March.
In a tweet storm, THORChain explained how the attacker had taken the funds. The team said that they “tricked” the project’s Bifröst protocol with a custom wrapper contract, then made multiple transfers of 0 ETH. However, they sent a transaction that said that the value was 200 ETH and used a contract to direct the value back to their own address. They used the attack path multiple times over, meaning they could take millions of dollars worth of ETH.
THORChain has since explained that the attack only affected ETH liquidity providers. As the attacker paid high slippage fees, THORChain said, nodes, arbitrageurs, and liquidity providers for ERC-20 tokens should profit from the attack.
THORChain paused the network last night and confirmed that it would donate funds to the ETH pool to restore those the liquidity providers lost. It also said it would work with security firms to conduct an audit.
In a Telegram post, the team noted that while it had enough funds in its treasury to cover the losses, it would offer a bounty to the attacker for the safe return of the funds.
Rounding off its breakdown of the attack, the team wrote:
“This is a disappointing moment for us all, but LPs and Nodes should be unaffected after all is recovered (the funds will be restored). The network will be stronger and more resilient.”
Several crypto community members have left messages of support for THORChain in the wake of the attack. “Innovation leads to exploitation,” said Andre Cronje, the creator of Yearn.Finance and many other DeFi protocols, before adding that exploits are more common in “new developing sectors.” Meanwhile, Solana’s Anatoly Yakovenko urged the team to “Stay strong!”
Innovation leads to exploitation. Its why hardened protocols often stop innovating, very little upside to increase risk by innovating. Its why we also see more exploits in new developing sectors.
— Andre Cronje (@AndreCronjeTech) July 16, 2021
THORChain’s Chaosnet was also targeted by attackers last month. That time, the losses came to around $140,000.
THORChain is best described as a decentralized liquidity protocol. It lets users exchange tokens for different Layer 1 blockchains, using the RUNE token to swap from one asset to another. The token model is designed so that RUNE becomes more valuable as the protocol attracts more liquidity.
THORChain has been active on social media throughout the night, though it’s likely a full post-mortem report will follow sometime after full details of the incident have been verified.
Disclosure: At the time of writing, the author of this feature owned ETH, ETH2X-FLI, and several other cryptocurrencies. Andre Cronje is an equity-holder in Crypto Briefing.