THORChain Suffers Another Attack: $8 Million Held, Hacker Wants 10% Bounty

THORChain has been once again schooled by hackers who managed to take a further US$8 million in this latest attack, bringing the total losses to US$13 million for the month. The cross-chain crypto token exchange platform manages US$100 million in funds.

The “helpful” hackers were kind enough to leave a note explaining THORChain’s weaknesses and cautioned that the result could have been far more damaging had they gone for the vault (BTC, ETH and BNB). They added:

“Do Not Rush Code That Controls 9 Figures”

About the Exploit

THORChain stated that a hacker (or hackers) deployed a custom contract that was able to trick its Bifrost Protocol into receiving a deposit of fake assets, duping the network to mistakenly process refunds of real assets back to the hacker. The breach was a highly “sophisticated attack” and the hacker has requested a bounty of 10 percent of the funds stolen for services rendered.

The network has responsibly ceased operating until the code can be reviewed and deemed secure before launching again. A harsh and expensive lesson, perhaps, but events such as this are part and parcel of DeFi (decentralised finance) as the space is still in its infancy in the untamed wild west.

There were really only two options. Launch and accept the risk of issues, or not launch and stay in the 90 percent complete audit-review cycle for another six months. Both are difficult.

Thorchain spokesperson

Earlier this month, THORChain lost US$4.9 million in Ethereum drained in a previous attack. Daniel Kim, head of capital markets at Maple Finance, said: “There’s a constant battle for these smart contract securities firms to keep up with hackers. That said, the DeFi industry is still nascent … these issues lead to solutions.”

The price of $RUNE fell 17 percent on the day as a result. It had been trading as high as US$20 in May, though the current value is bouncing around the US$4 mark, down over 80 percent from its peak.