Just under two weeks ago, the ThorChain (RUNE) protocol was the target of an attack resulting in the loss of $5 million. Unfortunately, the protocol has just been hit by a second attack, even more devastating than the first.
The first THORChain attack
During the night of July 15-16, the Thorchain cross-chain liquidity protocol was the target of an attack aimed at the pools deployed on Ethereum. In total, the attacker got away with a loot of just under 5 million dollars in ETH.
In practice, a flaw was present in the Bitfröst Ethereum node, allowing liquidity transfers from one chain to another.
Subsequently, the bug was solved and the funds refunded via the protocol’s cash fund. In parallel, the developers tried to contact the attacker to ask him to return the funds in exchange for a reward for identifying the bug, without success. In addition, the protocol’s teams have announced that they are accelerating audits of all their contracts.
The second attack: 8 million stolen
Unfortunately, the respite was short-lived for the protocol teams. On July 26, the protocol was the victim of a second attack, this time much more devastating in terms of losses.
Once again, it was the Bitfröst Ethereum node that was the target of the attack. According to information reported by the specialized media Rekt, the attack took place in five acts:
- The attacker created a fake router, then triggered a deposit event by sending ETH.
- This router then passed a small amount of ETH via the returnVaultAssets() function, however the router was defined as an Asgard vault, a node that is supposed to hold the funds of the operator nodes.
- In turn, the real Thorchain router transferred ETH to the fake Asgard vault.
- This created a fake deposit event containing a malicious memo.
- The Bitfröst ETH node, on the other hand, intercepted this event as a normal deposit and refunded it to the attacker due to a wrong definition of the memo.
- As a result, the attacker managed to extract the equivalent of $8 million from the liquidity pools, increasing the total amount lost by the protocol to over $13 million in just two weeks.
The stolen funds break down as follows:
- 966.62 ALCX;
- 20,866,664.53 XRUNE;
- 1,672,794.01 USDC;
- 56,104 SUSHI ;
- 6.91 YFI;
- 990,137.46 USDT.
When the attacker teaches the lesson
In addition to stealing the funds, the attacker left a note for the developers. In it, he explains that he could have stolen even more funds if he wanted to.
A message containing lessons left by the hackers:
“I could have taken ETH, BTC, LYC, BNB and BEP20s if I had waited. I wanted to teach a lesson by minimizing the damage.”
In the rest of his message, the attacker explains that several critical issues are present in the protocol code. In addition, the latter reminds the importance of audits that are not optional and gives notice to the developers to pause the protocol until the said audits have been performed.
“Several critical issues. A 10% VAR bonus would have prevented this. Disable the protocol until the audits are complete. Audits are not a good thing to have. Don’t rush a code that checks 9 digits.”
Indeed, audits of the protocol are underway, yet it is already managing several million dollars.
Unsurprisingly, the price of the RUNE token, Thorchain’s own token, saw a 15% drop in price following the attack.
In his speech at the ETHCC in Paris, Vitalik Buterin expressed his desire to see Ethereum evolve beyond DeFi. An understandable desire, but far from the realities of the protocol. Indeed, before creating new applications, the ecosystem should focus on the implementation of security standards, to avoid that hacks continue to tarnish its image.