Possible ‘white hat hacker’ exploits THORChain for $8M, proposes 10% bounty

Published at: July 23, 2021

Cross-chain decentralized exchange THORChain has suffered its second multimillion-dollar hack in as many weeks, with $8 million worth of Ether impacted.

However, the attack appears to have been carried out by a white hat hacker, with THORChain announcing the perpetrator had requested a 10% bounty. ETH will be halted until the code has been audited.

Liquidity providers impacted by the exploit will be subsidized using the project’s treasury funds.

The whitehat requested a 10% bounty - which will be awarded if they reach out, and they should be encouraged to do so. It is a tough time for the community and project, and the pain is real. The treasury has the funds to cover, but it's time to slow down.

— THORChain (@THORChain) July 23, 2021

The exchange — which is still in the middle of a staged beta launch called Chaosnet — conceded that the “complexity” of its state machine comprises THORChain’s “Archille’s heel,” however asserted that its issues “can be solved with more eyes on, as well as a re-think in developer procedures and peer-review.”

A screenshot shared from the project’s Discord forum appears to show a message forwarded to the project by the hack via transaction data.

The hacker claims they deliberately minimized the damage from the exploit in a bid to teach THORChain a lesson, stating: “Do not rush code that controls 9 figures,” and “Disable until audits are complete.”

The hacker adds that they could have stolen Ether, Bitcoin, Binance Coin, Lycancoin, and many BEP-20 tokens if they had wanted to, asserting that “multiple critical issues” were found and that a 10% bug bounty could have prevented the incident.

message from hacker... pic.twitter.com/1j8wOPcYHa

— zillaQuest!? (@zillaQuest) July 23, 2021

On July 16, Cointelegraph reported that THORChain had been halted after 4,000 Ether worth $7.6 million was drained from the protocol. The protocol unsuccessfully proposed a bug bounty to the hacker in exchange for returning the stolen funds.

Related: ChainSwap announces compensation and ‘deep audit’ plan after $8M exploit

The decentralized exchange also lost $140,000 in a separate exploit suffered last month.

THORChain entered into its guarded “Chaosnet” launch in April, enabling cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash, and Binance Chain networks.

Tags
Related Posts
THORChain loses up to $7.6M in ‘Chaosnet’ exploit, offers hacker a bounty to return funds
Popular cross-chain decentralized exchange THORChain has suffered a multi-million-dollar breach. Estimates as to the scale of the damage vary, with THORChain revising the initial estimate that 13,000 Ether (ETH) (worth $25.1 million) had been stolen, bringing the total down to 4,000 ETH (roughly $7.6 million) as a ballpark for damages. A subsequent community-provided rundown of stolen assets suggests the figure is closer to $6 million. At this stage the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be …
Altcoin / July 16, 2021
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit
Decentralized finance transaction combination tool Furucombo will compensate the victims of a recent “evil contract” exploit that cost the protocol $15 million in stolen funds. Following an internal call with affected users last week, Furucombo released a compensation plan Tuesday, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool. Out of a total of 100 million COMBO tokens, 5 million coins have been allocated to the recovery pool, and are subject to …
Technology / March 9, 2021
KuCoin hack unpacked: More crypto possibly stolen than first feared
Cybercriminals have continued to come up with new, innovative attack vectors that a lot of prominent crypto platforms are still falling prey to. For example, Johnny Lyu, the CEO of Singapore-based cryptocurrency exchange KuCoin, stated on Sept. 26 that the exchange had been on the receiving end of a major hack that resulted in the firm’s Bitcoin (BTC), Ether (ETH) and ERC-20 hot wallets being affected. Commenting on the hack, Charlie Cai, the media manager at KuCoin, told Cointelegraph: “Following the incident, KuCoin is acting quickly and transparently to deal with it. We are trying our best to mitigate the …
Altcoin / Sept. 30, 2020
Another depeg — Acala trace report reveals 3B aUSD erroneously minted
High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits. Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral - seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01. Acala put its network in maintenance mode …
Blockchain / Aug. 17, 2022
Transit Swap loses over $21M due to internal bug hack, issues apology
Transit Swap, a multi-chain decentralized exchange (DEX) aggregator, lost roughly $21 million after a hacker exploited an internal bug on a swap contract. Following the revelation, Transit Swap issued an apology to the users while efforts to track down and recover the stolen funds are underway. “We are deeply sorry,” stated Transit Swap while revealing that a bug in the code allowed a hacker to make away with an estimated $21 million. Blockchain investigator Peckshield narrowed down the attack to a compatibility issue or misplaced trust in the swap contract. pic.twitter.com/KJ7u5xoxBp — Transit Swap | Transit Buy | NFT (@TransitFinance) …
Ethereum / Oct. 2, 2022