Thorchain suffers $8 million loss by hacker wanting to 'teach lesson'

Quick Take

  • Cross-chain swap platform Thorchain has been hit by an $8 million hack, its third in a month.
  • But this time, the hacker wanted to teach a lesson — as the attack could have been far worse.

Thorchain has been exploited for the third time in a month, bringing total losses to around $13 million. The platform, which looks after $100 million in funds, is designed for exchanging crypto tokens across different blockchains.

In this attack, the platform was exploited for $8 million as the hacker was able to trick the network into thinking they had deposited a range of funds, when they hadn’t, and then somehow getting a refund. But the hacker made sure to leave a note explaining that the attack could have been much more damaging.

In the input data field for one of the transactions, the hacker wrote that they could have taken further coins including bitcoin (BTC), ether (ETH) and BNB. They said there were multiple critical issues and they “wanted to teach lesson (sic) minimizing damage.” 

“Do not rush code that controls 9 figures,” they added.

Thorchain acknowledged that it had suffered a “sophisticated attack” and that the hacker knowingly limited its impact. It said that the hacker requested a 10% bounty of the stolen funds and that the treasury has the money to cover the exploit. But it added that now's the “time to slow down.”

Thorchain said that it plans to keep the network halted for now as it reviews the code. Then it will restore solvency (which could include paying the bounty). Once everyone is satisfied with the security of the network, it will be restarted. It hasn't given specific dates for when each stage will happen.

Prior to this attack, Thorchain suffered a relatively minor $140,000 incident in late June and a $5 million hack just a week ago.

The price of thorchain (RUNE) has continued to slide, down 17% today. It has fallen further from its peak of $20.30 in May to its current value of $3.85 — down 81% over this time period.

How this affects ShapeShift

On a related note, Thorchain is one of the main technologies used by ShapeShift — a service for swapping tokens that plans to go fully decentralized. During this move, it will become more dependent on technologies such as Uniswap and 0x for Ethereum-based trades.

In a recent interview prior to this exploit, ShapeShift CEO Erik Voorhees told The Block — in reference to Thorchain’s $5 million hack — “It's certainly concerning.” But he argued that the network is in an experimental phase, kind of like a beta version, but with real money. So it’s no surprise that it has faced some issues.

Voorhees said, “I don't want to sugarcoat it. That's not good. And there were mistakes made there. But ultimately, these systems just have to iterate and improve and become more resilient by being out in the wild.”

For more breaking stories like this, make sure to subscribe to The Block on Telegram.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.