- ThorChain, one of the most popular cross-chain DEXs, has suffered an exploit in which the attacker made off with 4,000 Ether.
- The team has responded quickly to find the bug that was exploited and released a fix which if approved by the community, will be implemented within 24 hours.
One of the most popular cross-chain decentralized exchanges (DEXs) has undergone an attack, with thousands of Ether taken, just weeks after a similar attack. THORChain announced the exploit on Twitter, revealing that the attacker had tricked the ETH Bitfrost using a custom wrapper contract, The project promised it would restore the lost funds to ETH liquidity providers.
THORChain developers initially claimed that the attackers had made off with 13,000 ETH. However, they later corrected this and revealed that the damage was at 4,000 ETH. They then halted the network to investigate the extent of the exploit and how to quickly patch the vulnerability.
At this stage the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH.
More detailed assessment and recovery steps will be announced soon.
The users who suffered (LPs) will be made whole in the coming weeks. https://t.co/LR2x8VZ2kx
— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 15, 2021
In its initial assessment, the team revealed that the attack was through the ETH Bitfrost, which had recently been “updated to allow the router to be “wrapped” by contracts (to allow composability).”
“The attacker then tricked the Bifrost by using a custom wrapper contract, when they actually transferred 0 ETH,” the developers revealed.
In response, the team released a patch and restarted the network, blocked the pending outbounds and restored solvency.
‘Return the funds and we’ll compensate you’
On Telegram, the THORChain team told the community that the project has enough funds in its war chest to compensate those who had lost their funds. However, it called on the attacker to return the stolen funds and as a reward, he would be paid off as part of the bug bounty program.
While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery.
In what is one of the most unexpected aspects of the exploit, nodes and liquidity providers in the network made millions from the exploit. The THORChain team revealed:
The attacker paid huge slip fees, approx $1.4m was captured by nodes, with a further $1.4m by ERC20 LPs. Only users affected are ETH LPs, and they will be made whole. So despite the exploit, Nodes, LPs and Arbers will stand to profit considerably.
THORChain’s RUNE token took a hit following the exploit.
In the past 24 hours, it has shed 18 percent according to our data to trade at $4.70 at press time, down from $5.83. The token now has a market cap of $1.09 billion, making it the 65th largest crypto in the market.
RUNE down 14% after @THORChain suffered a ~4,000 ETH attack ($7.8 million.) The network’s reserve ($109 million) is making users whole.
Obviously better if it never happens, but in the long run network is now more secure and the transparency remains unparalleled.
— Zack Guzmán (@zGuz) July 16, 2021
THORChain launched its Chaosnet in April, touting to be the first platform to ever allow native crypto assets to be traded on a DEX across unique blockchains without bridging technology or wrapped tokens. It facilitates cross-chain swaps across the Bitcoin, Ethereum, Bitcoin Cash, Binance Smart Chain and Litecoin blockchains.
At the time, Erik Voorhes, the founder of ShapeShift and a crypto titan touted the launch to be one of the biggest events in crypto this year.
“Thorchain goes live tomorrow. Native cross-chain decentralized exchange. Never been done before. Arguably the biggest event in crypto this week, though it may not be obvious for a year or two ;),” he tweeted.