Explained: The THORChain Hack (July 2021)

The attacker exploited a bug in Bifrost, which is THORChain’s bridge to the Ethereum network.  The code has an override loop (designed only to be used in a vault transfer incident), which was manipulated in this hack. The hacker wrapped the router with their own contract and used the override function to set a transaction msg.value of 200. When Bifrost processed the transaction, it only read the msg.value and believed that the attacker had deposited 200 tokens, but the actual deposit was for 0. This hack was repeated in a loop, extracting value from various liquidity pools.

Despite the severity of the attack, the THORChain community was quick to act and intervene, with the following plan:

1) Release the patch and restart the network, restoring solvency

2) Donate funds back into the ETH pool to restore the lost funds to ETH LPs

3) Release the automatic-solvency checker

4) Work with security firms to audit

The THORChain network is designed to enable the network to halt operations if needed.  If one-third of the nodes use the “make halt” command to halt their nodes’ operations, then the entire network halts.  Once the incident was detected, the network voluntarily activated this failsafe.

THORChain has been taking action to improve the security of its protocol in the future. Less than a week before this incident, the THORChain community approved a proposal for blockchain security firm Halborn to perform a penetration test of the THORnode and other layer 1 assets. 

In the wake of this latest hack, Halborn is developing a proposal for an “always-on” comprehensive approach to test all of THORChain’s assets and updates. The Halborn team of white hat, ethical hackers shall perform continual, constant auditing on every update to ensure the best security before its deployment on the network.