Thorchain suffers $8 million loss by hacker wanting to 'teach lesson'

Quick Take

  • Cross-chain swap platform Thorchain has been hit by an $8 million hack, its third in a month.
  • But this time, the hacker wanted to teach a lesson — as the attack could have been far worse.

Thorchain has been exploited for the third time in a month, bringing total losses to around $13 million. The platform, which looks after $100 million in funds, is designed for exchanging crypto tokens across different blockchains.

In this attack, the platform was exploited for $8 million as the hacker was able to trick the network into thinking they had deposited a range of funds, when they hadn’t, and then somehow getting a refund. But the hacker made sure to leave a note explaining that the attack could have been much more damaging.

In the input data field for one of the transactions, the hacker wrote that they could have taken further coins including bitcoin (BTC), ether (ETH) and BNB. They said there were multiple critical issues and they “wanted to teach lesson (sic) minimizing damage.” 

“Do not rush code that controls 9 figures,” they added.

Thorchain acknowledged that it had suffered a “sophisticated attack” and that the hacker knowingly limited its impact. It said that the hacker requested a 10% bounty of the stolen funds and that the treasury has the money to cover the exploit. But it added that now's the “time to slow down.”

Thorchain said that it plans to keep the network halted for now as it reviews the code. Then it will restore solvency (which could include paying the bounty). Once everyone is satisfied with the security of the network, it will be restarted. It hasn't given specific dates for when each stage will happen.

Prior to this attack, Thorchain suffered a relatively minor $140,000 incident in late June and a $5 million hack just a week ago.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy