Key Takeaways

THORChain has suffered an attack, leading to losses of around $8 million.
An attacker tricked the Bifröst protocol into accepting a fake deposit, then received a refund for the assets even though it hadn’t deposited any to the protocol.
It’s the third major incident to hit THORChain in a month. A Bifröst exploit led to losses of $5 million only a week ago.

Share this article

THORChain says the attacker made off with around $8 million. 

THORChain Hit by Another Exploit 

THORChain has suffered its third critical attack in a month.

THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat.

ETH will be halted until it can be peer-reviewed with audit partners, as a priority.

LPs in the ERC-20 pools will be subsidised.

— THORChain (@THORChain) July 23, 2021

The team behind the project took to Twitter to announce that a hacker had carried out a “sophisticated attack” earlier this morning. The hacker used their own contract to trick THORChain’s Bifröst protocol into accepting a deposit of assets even though they hadn’t made any deposit. This essentially meant that they could receive a free refund without adding any funds to the protocol. 

The hacker left a note suggesting that they could have taken more than $8 million, adding that they spotted “multiple critical issues.” A message in one of the transaction’s input data read: 

“Could have taken ETH, BTC, LYC, BNB, and BEP20s if waited Wanted to teach lesson minimizing damage 

Multiple critical issues 

10% VAR bounty would have prevented this 

Disable until audits are complete

Audits are not a nice to have

Do not rush code that controls 9 figures” 

The total losses amount to around $8 million. THORChain said that the hacker was “seemingly a whitehat” because they made less impact than they could have done, and revealed that the hacker had requested a 10% bounty that would be awarded if they reach out. THORChain confirmed it would halt its network chain pending security audits and that liquidity providers would be reimbursed from its treasury. While the team thanked the THORChain community for its support, a note in the announcement read:  

“It is a tough time for the community and project, and the pain is real.” 

The impact of the incident has doubtless been compounded by THORChain’s recent run of other similar attacks. Last week, the protocol suffered losses of around $5 million when a hacker tricked Bifröst into sending multiple 200 ETH transactions to their own address. In late June, THORChain was hit by another incident, though that time the losses came to a relatively minor $140,000. 

THORChain is a cross-chain liquidity protocol for trading assets like BTC and ETH. It has its own token called RUNE for moving from one asset to another. The native token has also taken an 11.8% hit following the latest, currently trading at $4.14. 

Disclosure: At the time of writing, the author of this feature owned ETH, ETH2X-FLI, and several other cryptocurrencies. 

This news was brought to you by ANKR, our preferred DeFi Partner.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

$5M in Ethereum Lost in THORChain Exploit

THORChain is the latest DeFi attack victim.  THORChain Pauses Network After Attack  THORChain has been exploited.  The DeFi network, which focuses on cross-chain interoperability between protocols like Bitcoin and Ethereum,…

Erik Voorhees Bets on Ethereum DEXs, THORChain

Switzerland-based crypto platform ShapeShift has come a long way since Erik Voorhees founded it in 2014. From its launch until late 2017, it became one of the most widely known…

Shapeshift to Pioneer Cross-Chain Trading With THORChain

ShapeShift users can now swap Bitcoin, Ethereum, or Litecoin directly across their respective blockchains is now possible for the first time ever. A First From ShapeShift’s DEX Swapping assets between…