THORChain (RUNE) Suffers Second Exploit in 8 Days, $8M Stolen

2 мес назад 28

Cross-chain protocol THORChain (RUNE) has suffered around $8 million in losses in a new exploit today – its second hack in just over a week.

The attack targeted the platform’s ETH router, with the hacker surprisingly deliberately stealing less funds than they could have made away with. 

THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat.

ETH will be halted until it can be peer-reviewed with audit partners, as a priority.

LPs in the ERC-20 pools will be subsidised.

— THORChain (@THORChain) July 23, 2021

About the Exploit

The exploit took advantage of THORChain’s ETH router, which controls the movement of Ethereum-based tokens through the project’s cross-chain decentralized exchange. 

The exact mechanics of the exploit are still to be disclosed, however the attacker managed to drain significant amounts of USDC Coin (USDC), Sushi ((SUSHI), Yearn Finance (YFI), Tether (USDT), Alchemix (ALCX) and XRUNE Token (XRUNE). The total value of tokens drained amounted to around $8 million.

The attacker then offloaded all of the proceeds via decentralized exchanges Uniswap and SushiSwap at extremely high slippage, securing around $4.1 million in ETH.

Interestingly, the hacker left a message on one of the transactions indicating that they could have taken several other assets from the protocol if they so desired. They also added that a 10% value-at-risk bounty would have prevented the attack, as well as warning against rushing code that controls such a large sum of funds.

THORChain’s Response

The THORChain team has halted the functionality of the ETH router until it has been peer-reviewed with audit partners. This will disable any further transfer of Ethereum-based assets via the platform. Liquidity providers in the ERC20 token pools will also be compensated.

An additional tweet from the team said that they would be willing to award the requested 10% bounty if the hacker reaches out, out of the project’s treasury. 

The attack is the second in just eight days, the first of which resulted in more than $6 million in losses.

Читать полностью