DeFi is a brand new concept, and as such the risks in investing in these protocols is higher than investing in Bitcoin for example. There have been rug pulls, scams, exploits, all costing millions of dollars worth of losses.
One common theme is that the useless assets never recover and are dead for good. However, there are some protocols that survive the onslaught, and end up being battle-tested.
No project is ever 100% finished at launch, and projects must be tested under live conditions so that further development can continue and any teething problems ironed out.
It is not all doom and gloom though – the higher risk associated with investing early in a project leads to the potential for higher reward.
The crypto market has experienced a lot of turbulence recently. However, our outlook has not changed.
Disclaimer: NOT FINANCIAL NOR INVESTMENT ADVICE. Only you are responsible for any capital-related decisions you make and only you are accountable for the results.
The last few weeks have certainly been rough for THORChain. Last week the protocol was subjected to another attack that targeted roughly the same vector that the previous attack used. Additionally, a design flaw in the ETH.RUNE token came to light, causing more FUD to spread about the project. There is no sugar-coating that these attacks have been detrimental to confidence in the project, and it will likely take months to restore that confidence.
However, it is vital to consider the fact that THORChain is a product that is still in development or BETA. There are warnings all over the various interfaces used to interact with the protocol, such as THORSwap, stating that large amounts of funds should not be used. The complexity of the protocol the team is building also increases the likelihood of attacks because multiple chains are involved. What THORChain is trying to achieve is one of the most difficult tasks attempted in crypto – direct L1 to L1 cross-chain swaps.
THORChain was subjected to another attack on the 22nd of July. As previously stated, the attacker used a similar method to the attack outlined in this report. Both recent hacks targeted a weak area within the coding of the protocol that was exploitable due to the complexity of interactions between smart contracts and a block scanner.
Fortunately, during this attack, the network was only partially running as part of the recovery plan outlined for the previous hack, and so trading on all chains was still halted. This prevented the hacker from stealing more funds. An outline of the attack vector used is as follows:
- The hacker created a smart contract that acted as a phoney router.
- The attacker then sent a small amount of ETH, which registered as a deposit event.
- Asgard vaults handle inbound transactions – the smart contract that the hacker created registered as an Asgard vault to the THORChain router, which sent the hacker’s ETH back to his own phoney router.
- This created a fake deposit event with a false memo.
- The Bifrost read this fake deposit event as a normal deposit, and due to the false memo, automatically refunded the attacker with real assets. This is a built-in mechanism to avoid losing user funds if a wrong memo is entered into the transaction.
The total damage of the attack appears to have been around $8 million. The attacker used Tornado Cash protocol to withdraw in a completely private and untraceable manner – Tornado Cash has been used many times in the past by black-hat hackers to anonymously “launder” their stolen funds.
The attacker used the false memos to send a message to the development team. Here is an example of the raw data from one of the transactions:
There were several transactions with messages sent in this way. A user in the THORChain community Discord went through the transactions and found all the memo messages:
The implication is that if the protocol was completely online at the time of the attack, then the hacker claims they could have made away with so much more. Clearly, the hacker believes that there are a few more vulnerabilities within the protocol that must be resolved ASAP. They also appear to have criticised the THORChain team for their handling of the previous hack – i.e., rushing the fix.
Not long after the attack, another vulnerability came into the spotlight. Some wallets holding ETH.RUNE, the version of RUNE that lives on the Ethereum network, were airdropped a token called UNIH. The token itself is completely useless, and its sole purpose was to bait the wallet owners into trying to sell it on a decentralised exchange. Once the user approved the use of the UNIH token, a malicious contract would transfer all ETH.RUNE in the user’s wallet to the scammer’s address.
This is possible due to the design of the ETH.RUNE token. For some reason, the developers did not want to use ERC-20, the standard that most Ethereum tokens use. The stated purpose of the code is to ease the process of upgrading ETH.RUNE to native THOR.RUNE. However, the developers literally told any would-be scammer exactly how to exploit this in the code comments. Considering all the code is open-source and available on GitHub, this seems rather negligent.
It appears that the scammer was only able to steal around $76,000 worth of RUNE. Still, the news of this exploit shortly after the main attack further exasperated an already concerning situation. For holders of ETH.RUNE the tokens should be safe if the UNIH token is not approved for use by the user.
What happens going forward?
The THORChain developers and community have been proactive in coming up with solutions to the immediate issues. As previously stated, the protocol is under-going audits from two cyber-security firms, with the Halborn audit set for completion at the end of August. The developers set out an initial plan of action that they will be following over the coming weeks:
- A controlled restart of the network will be initiated with the compromised components (e.g., Bifrost) isolated. Liquidity Providers and Node Operators will be back paid their rewards owed since the network was halted. Nodes that were on standby will also be paid 50% of the rewards that active nodes will receive to ensure they are compensated as well, which is a great gesture from the developers. Note that trading will not be reactivated at this stage.
- With the network restarted, updates to fix bugs and add security measures can be implemented.
- The two auditing firms (Halborn and ToB) will be reviewing all chains, as well as the swap and provide liquidity functions to ensure they are secure and stable, after which the clients will be restarted (this likely means trading will be restarted too, but only for BNB and UTXO chains).
- Since the Ethereum (ERC-20) chain was the centre of all the major attacks, it will undergo a community review to decide whether ERC-20 tokens will remain supported by THORChain in the near to mid-term.
- A bug bounty program is currently in development with support from Immunefi, a bug bounty platform currently used by many large DeFi protocols. This will hopefully provide white-hat hackers incentive to report bugs to the team, as well as incentivise potential black-hat hackers to claim a bounty rather than steal the assets outright.
- Finally, once the action points outlined have been addressed, the network should be fully operational, assuming the audits have been completed in full and any problems resolved.
In addition to this, THORChain has announced that they will be working with DeFi insurance protocols to enquire about insuring the entire THORChain ecosystem to provide further protection against future attacks.
After the two audits are completed and the bounty program is in place with the help of @ninerealms_cap and @immunefi; THORChain will approach a number of DeFi insurance protocols and attempt to insure the entire protocol.
Big task? For sure.
Want to help? Reach out.
— THORChain #BRINGBACKMCCN (@THORChain) July 28, 2021
If this is possible, it will massively boost confidence in the protocol since funds could be covered regardless of what happens. Insurance will also protect the THORChain treasury from being drained by future attacks. There is no confirmed timeline for the completion of the action plan yet.
As announced on Discord we have taken the decision to add more RUNE at around $3 to capitalise on this opportunity. In the grand scheme of things, RUNE has not performed any worse than some other DeFi assets, despite the recent events. This is an example of the concept of buying fear that we spoke about in a recent journal.
We believe that the plan put forward by the team, as well as the ongoing audits and talks with insurance protocols, is a step in the right direction. The number of attacks, as well as the less-than-optimal handling of them by the development team, has led to substantial uncertainty around the protocol. It will likely take a couple of months to restore investor confidence; however, after having spectated the community Discord interactions for the last few weeks, we are still confident in the protocol.