Popular cross-chain decentralized exchange THORChain has suffered a multi-million-dollar breach.
Estimates as to the scale of the damage vary, with THORChain revising the initial estimate that 13,000 Ether (ETH) (worth $25.1 million) had been stolen, bringing the total down to 4,000 ETH (roughly $7.6 million) as a ballpark for damages. A subsequent community-provided rundown of stolen assets suggests the figure is closer to $6 million.
At this stage the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH.
More detailed assessment and recovery steps will be announced soon.
The users who suffered (LPs) will be made whole in the coming weeks. https://t.co/LR2x8VZ2kx
— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 15, 2021
In the THORChain community Telegram channel, administrators have indicated the project has the funds needed to cover users’ stolen assets but articulated a preference for the hacker to return the stolen funds in exchange for a bug bounty.
“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched & the network resumes.”
THORChain has since tweeted that its preliminary roadmap to recovery is underway, announcing that after the vulnerability is patched and the network is restarted, Ether will be donated to liquidity provider pools to reimburse impacted users. From there, the team plans to engage security firms to have its contracts audited.
As of this writing, the THORChain network remains halted.
This is a disappointing moment for all, but LPs and Nodes should be unaffected after all is recovered (the funds will be restored).
The network will be stronger and more resilient.
— THORChain #ACTIVATETHESYNTHS⚡️ (@THORChain) July 16, 2021
Blockchain cybersecurity firm Halborn Security is compiling a proposal to the THORChain community for “Advance Persistent Protection,” offering up a team of up to half a dozen “ethical security engineers working to break every update on Thorchain.”
THORChain entered into its guarded “Chaosnet” launch during April, facilitating cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash and Binance Chain networks.
DeFi Watch founder Chris Blec said the staged “raise the caps” launch of THORChain had prevented an even greater loss of funds.
Keep in mind – THORchain has been responsibly using a guarded launch approach to its rollout. This exploit could have been *much worse* if they had just recklessly launched without caps on its liquidity pools.
— Chris Blec (@ChrisBlec) July 15, 2021
Today’s attack is not the first time THORChain has been targeted by hackers during its Chaosnet deployment, with the protocol losing at least $140,000 worth of assets last month.