Hey guys. For 2 weeks, we were visited by several sad things about Thorchain, the first hack occurred last week, which allowed hackers to steal 4000 ETH, the second case occurred already this week, the hacker was able to steal more than $8 million.
After the first hack, the project team had a choice, either to launch the protocol again, knowing about the possible risks, or to stop the blockchain for 6 months to conduct a full-fledged audit.
We know what we saw in the end. The team decided to take a risk, well, the risk was perceived by hackers as a challenge. As a result, we have a second hack, which has become even more destructive than the first.
The attacker took advantage of the refund vulnerability, here is the sequence of his actions. The network was halted during the attack, Refunds and LP withdrawals are still allowed. The attack can be named as Lack of proper multi-event handling. The hacker targeted a refund logic.
The simple attack steps:
• The attacker created fake router (Contract Address), than a deposit event emitted when the attacker sent ETH.
• The attacker passes returnVaultAssets() with a small amount of ETH, but the router is defined as an Asgard vault.
• On the Thorchain Router, its forwarding ETH to created fake Asgard.
• This creates a fake deposit event with a malicious memo.
• Thorchain Bifrost intercepts as a normal deposit and refunds to an attacker due to a bad memo definition.
Here’s what he managed to steal (~$8M USD) using such a simple logical chain.
966.62 ALCX
20,866,664.53 XRUNE
1,672,794.010 USDC
56,104 SUSHI
6.91 YEARN
990,137.46 USDT
The address of the wallet that participated in the creation of the smart contract.
https://etherscan.io/address/0x700196e226283671a3de6704ebcdb37a76658805
Other wallets of the attacker:
https://etherscan.io/address/0xc145990e84155416144c532e31f89b840ca8c2ce
https://etherscan.io/address/0xf56cba49337a624e94042e325ad6bc864436e370
https://etherscan.io/address/0x8c1944fac705ef172f21f905b5523ae260f76d62
Full analysis: https://github.com/HalbornSecurity/PublicReports/blob/master/Incident%20Reports/Thorchain_Incident_Analysis_July_23_2021.pdf
One more important feature was that a Twitter user under the nickname @bantg found that no approvals are needed to call the RUNE transfer function, as previously stated.
According to Banteg, it is enough to create a contract with the RUNE.transferTo function and transfer any amount of RUNE to the creator’s wallet, or any other wallet that will be registered in the owner.
At the moment, BEPSwap from Thorchain is completely suspended.
The blockchain explorer also does not work
https://viewblock.io/thorchain
What mistakes did the creators of Thorchain make?
I will say right away, my opinion is not expert and does not carry any negative assessment of the actions of the developers, I’m just expressing my thoughts. And so let’s get started.
The developers themselves admitted that their product is very difficult to implement, since it contains a large number of cross-chain options. Uniswap and other DEX, swap was implemented on Thorchain not using wrapped coins, but directly.
I mean, when you change BTC to LTC via BEPSwap, then you do not get wBTC or wLTC, as on UNI, but immediately change BTC to RUNE, and RUNE changes to LTC in automatic mode. This is a simplified example, everything is a little more complicated :)
The main mistake is that the developers have concentrated on a large number of blockchains. By creating opportunities for more flexible exchange, developers missed important security points, sometimes neglecting them in favor of easier use.
Thus, we have spaces in some moments of vulnerability. I really hope that the developers will fix their shortcomings, and the hacker who hacked Thorchain will show up and return all the funds.
What conclusions can we draw?
Despite a long period of time, the market of DeFi products and cryptocurrencies is still at the stage of its maturation, such situations have occurred and will continue to occur in the future.
But among all the options, you need to be able to find those opportunities that will be safer. I want to say now that you need to choose more carefully.
Here are the selection criteria I would suggest:
- The team has been developing for more than 10 years and has experience working in large companies;
- The team pursues ambitious goals and has really working products;
- Developers are focused on a few key things, rather than trying to keep up with all the features;
- There is a strong community;
- During the existence of the coin, it has not had any serious security problems;
I have long identified such a project for myself. I like Near Protocol, no matter who tells me what. I see a potential geometric growth of development here.
Look, everything is simple. I understand that it is wrong to compare the two protocols, especially after the incident, but I will do it.
Firstly, Near Protocol has a very well-known development team that has worked in Facebook, Google, Microsoft and other large companies.
What does this mean?
At least the fact that they were trusted by big players. The second is that any exploit or hacking will jeopardize the competence of developers, and they value what they have accumulated for more than one year.
The ambitious goals set by the developers of the Near Protocol are not only to simply create a swap that would support several blockchains, but to create a full-fledged competitor to Ethereum.
They cope with this perfectly, creating good conditions for beginners and already experienced developers. You can develop and issue contracts on the Near blockchain, ten times cheaper than it is on Ethereum.
The development is implemented using own EVM.
You can also easily transfer ERC 20 to Near, using the Aurora Rainbow Bridge. Here, I would stop in more detail and explain to you why this approach is better than using Thorchain.
The Aurora Bridge, as a part of the NEAR Rainbow Bridge, is the only fully trustless asset bridge in the Ethereum industry.
https://ethereum.bridgetonear.org/
The main difference between rainbow bridge is that it is an unreliable bridge, at the moment it is the only solution on the market.
Interaction occurs only within the two blockchains without conflicting between each other. The powers of Near are limited only by the Near Protocol blockchain, respectively, Ethereum interacts within its blockchain.
An example of using Rainbow Bridge.
- Suppose Alice wants to transfer X DAI to Bob on NEAR blockchain and she initiates the transfer from RainbowCLI/RainbowLib;
- RainbowLib first sets an allowance to transfer X DAI from Alice to TokenLocker;
- It then calls TokenLocker to grab those tokens resulting in TokenLocker emitting event “Alice locked X tokens in favor of Bob”;
- RainbowLib then waits until EthOnNearClient receives the Ethereum header than contains this event, plus 25 blocks more for confirmation (see note on Ethereum finality in opening section)
- Then RainbowLib computes the proof of this event and submits it to the MintableFungibleToken contract;
- MintableFungibleToken contract then verifies that this proof is correct by calling EthOnNearProver;EthOnNearProver, in turn, verifies that the header of the proof is on the canonical chain of EthOnNearClient, and it has the required number of confirmations. It also verifies the proof itself;
- MintableFungibleToken then unpacks the Ethereum event and mints X nearDAI for Bob, finishing the transfer.
Accordingly, you can only interact with the bridge directly, it is impossible to create a contract that would interact like what we saw in Thorchain.
This is a great technology that inherently has no boundaries, I am sure that developers will introduce interaction with other blockchains and applications so that users can transfer their assets to the Near blockchain.
Rainbow Bridge Documentation: https://near.org/ru/blog/eth-near-rainbow-bridge/
Conclusion
What happened in Thorchain is truly terrible. But we must not forget that this is a market that is always volatile and very young. I am sure that the developers of Thorchain will do everything in their power to prevent this from happening in the future.
Good luck to everyone!
