Possible ‘white hat hacker’ exploits THORChain for $8M, proposes 10% bounty

Cross-chain decentralized exchange THORChain has suffered its second multimillion-dollar hack in as many weeks, with $8 million worth of Ether impacted.

However, the attack appears to have been carried out by a white hat hacker, with THORChain announcing the perpetrator had requested a 10% bounty. ETH will be halted until the code has been audited.

Liquidity providers impacted by the exploit will be subsidized using the project’s treasury funds.

The whitehat requested a 10% bounty - which will be awarded if they reach out, and they should be encouraged to do so. It is a tough time for the community and project, and the pain is real. The treasury has the funds to cover, but it's time to slow down.

The exchange — which is still in the middle of a staged beta launch called Chaosnet — conceded that the “complexity” of its state machine comprises THORChain’s “Archille’s heel,” however asserted that its issues “can be solved with more eyes on, as well as a re-think in developer procedures and peer-review.”

A screenshot shared from the project’s Discord forum appears to show a message forwarded to the project by the hack via transaction data.

The hacker claims they deliberately minimized the damage from the exploit in a bid to teach THORChain a lesson, stating: “Do not rush code that controls 9 figures,” and “Disable until audits are complete.”

The hacker adds that they could have stolen Ether, Bitcoin, Binance Coin, Lycancoin, and many BEP-20 tokens if they had wanted to, asserting that “multiple critical issues” were found and that a 10% bug bounty could have prevented the incident.

message from hacker... pic.twitter.com/1j8wOPcYHa

On July 16, Cointelegraph reported that THORChain had been halted after 4,000 Ether worth $7.6 million was drained from the protocol. The protocol unsuccessfully proposed a bug bounty to the hacker in exchange for returning the stolen funds.

Related: ChainSwap announces compensation and ‘deep audit’ plan after $8M exploit

The decentralized exchange also lost $140,000 in a separate exploit suffered last month.

THORChain entered into its guarded “Chaosnet” launch in April, enabling cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash, and Binance Chain networks.