Bitcoin Forum
December 15, 2024, 05:59:14 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Thorchain why was it hacked? Review.  (Read 173 times)
bizfyn_ru (OP)
Full Member
***
Offline Offline

Activity: 486
Merit: 110


View Profile
July 24, 2021, 02:17:38 PM
 #1

Hey guys. For 2 weeks, we were visited by several sad things about Thorchain, the first hack occurred last week, which allowed hackers to steal 4000 ETH, the second case occurred already this week, the hacker was able to steal more than $8 million.

After the first hack, the project team had a choice, either to launch the protocol again, knowing about the possible risks, or to stop the blockchain for 6 months to conduct a full-fledged audit.

We know what we saw in the end. The team decided to take a risk, well, the risk was perceived by hackers as a challenge. As a result, we have a second hack, which has become even more destructive than the first.

The attacker took advantage of the refund vulnerability, here is the sequence of his actions. The network was halted during the attack, Refunds and LP withdrawals are still allowed. The attack can be named as Lack of proper multi-event handling. The hacker targeted a refund logic.

The simple attack steps:

• The attacker created fake router (Contract Address), than a deposit event emitted when the attacker sent ETH.

• The attacker passes returnVaultAssets() with a small amount of ETH, but the router is defined as an Asgard vault.

• On the Thorchain Router, its forwarding ETH to created fake Asgard.

• This creates a fake deposit event with a malicious memo.

• Thorchain Bifrost intercepts as a normal deposit and refunds to an attacker due to a bad memo definition.

Here’s what he managed to steal (~$8M USD) using such a simple logical chain.

966.62 ALCX

20,866,664.53 XRUNE

1,672,794.010 USDC

56,104 SUSHI

6.91 YEARN

990,137.46 USDT

The address of the wallet that participated in the creation of the smart contract.

https://etherscan.io/address/0x700196e226283671a3de6704ebcdb37a76658805

Other wallets of the attacker:

https://etherscan.io/address/0xc145990e84155416144c532e31f89b840ca8c2ce

https://etherscan.io/address/0xf56cba49337a624e94042e325ad6bc864436e370

https://etherscan.io/address/0x8c1944fac705ef172f21f905b5523ae260f76d62

Full analysis: https://github.com/HalbornSecurity/PublicReports/blob/master/Incident%20Reports/Thorchain_Incident_Analysis_July_23_2021.pdf

One more important feature was that a Twitter user under the nickname @bantg found that no approvals are needed to call the RUNE transfer function, as previously stated.

According to Banteg, it is enough to create a contract with the RUNE.transferTo function and transfer any amount of RUNE to the creator’s wallet, or any other wallet that will be registered in the owner.

At the moment, BEPSwap from Thorchain is completely suspended.

https://chaosnet.bepswap.com/

The blockchain explorer also does not work

https://viewblock.io/thorchain

https://thorchain.net/#/

What mistakes did the creators of Thorchain make?
I will say right away, my opinion is not expert and does not carry any negative assessment of the actions of the developers, I’m just expressing my thoughts. And so let’s get started.

The developers themselves admitted that their product is very difficult to implement, since it contains a large number of cross-chain options. Uniswap and other DEX, swap was implemented on Thorchain not using wrapped coins, but directly.

I mean, when you change BTC to LTC via BEPSwap, then you do not get wBTC or wLTC, as on UNI, but immediately change BTC to RUNE, and RUNE changes to LTC in automatic mode. This is a simplified example, everything is a little more complicated Smiley

The main mistake is that the developers have concentrated on a large number of blockchains. By creating opportunities for more flexible exchange, developers missed important security points, sometimes neglecting them in favor of easier use.

Thus, we have spaces in some moments of vulnerability. I really hope that the developers will fix their shortcomings, and the hacker who hacked Thorchain will show up and return all the funds.

What conclusions can we draw?

Despite a long period of time, the market of DeFi products and cryptocurrencies is still at the stage of its maturation, such situations have occurred and will continue to occur in the future.

But among all the options, you need to be able to find those opportunities that will be safer. I want to say now that you need to choose more carefully.

Here are the selection criteria I would suggest:

The team has been developing for more than 10 years and has experience working in large companies;

The team pursues ambitious goals and has really working products;

Developers are focused on a few key things, rather than trying to keep up with all the features;

There is a strong community;

During the existence of the coin, it has not had any serious security problems;

I have long identified such a project for myself. I like Near Protocol, no matter who tells me what. I see a potential geometric growth of development here.

Look, everything is simple. I understand that it is wrong to compare the two protocols, especially after the incident, but I will do it.

Firstly, Near Protocol has a very well-known development team that has worked in Facebook, Google, Microsoft and other large companies.

What does this mean?

At least the fact that they were trusted by big players. The second is that any exploit or hacking will jeopardize the competence of developers, and they value what they have accumulated for more than one year.

https://near.org/team/

The ambitious goals set by the developers of the Near Protocol are not only to simply create a swap that would support several blockchains, but to create a full-fledged competitor to Ethereum.

They cope with this perfectly, creating good conditions for beginners and already experienced developers. You can develop and issue contracts on the Near blockchain, ten times cheaper than it is on Ethereum.

The development is implemented using own EVM.

https://aurora.dev/about

You can also easily transfer ERC 20 to Near, using the Aurora Rainbow Bridge. Here, I would stop in more detail and explain to you why this approach is better than using Thorchain.

The Aurora Bridge, as a part of the NEAR Rainbow Bridge, is the only fully trustless asset bridge in the Ethereum industry.

https://ethereum.bridgetonear.org/

The main difference between rainbow bridge is that it is an unreliable bridge, at the moment it is the only solution on the market.

Interaction occurs only within the two blockchains without conflicting between each other. The powers of Near are limited only by the Near Protocol blockchain, respectively, Ethereum interacts within its blockchain.

An example of using Rainbow Bridge.

Suppose Alice wants to transfer X DAI to Bob on NEAR blockchain and she initiates the transfer from RainbowCLI/RainbowLib;

RainbowLib first sets an allowance to transfer X DAI from Alice to TokenLocker;

It then calls TokenLocker to grab those tokens resulting in TokenLocker emitting event “Alice locked X tokens in favor of Bob”;

RainbowLib then waits until EthOnNearClient receives the Ethereum header than contains this event, plus 25 blocks more for confirmation (see note on Ethereum finality in opening section)

Then RainbowLib computes the proof of this event and submits it to the MintableFungibleToken contract;

MintableFungibleToken contract then verifies that this proof is correct by calling EthOnNearProver;EthOnNearProver, in turn, verifies that the header of the proof is on the canonical chain of EthOnNearClient, and it has the required number of confirmations. It also verifies the proof itself;

MintableFungibleToken then unpacks the Ethereum event and mints X nearDAI for Bob, finishing the transfer.

Accordingly, you can only interact with the bridge directly, it is impossible to create a contract that would interact like what we saw in Thorchain.

This is a great technology that inherently has no boundaries, I am sure that developers will introduce interaction with other blockchains and applications so that users can transfer their assets to the Near blockchain.

Rainbow Bridge Documentation: https://near.org/ru/blog/eth-near-rainbow-bridge/

Conclusion

What happened in Thorchain is truly terrible. But we must not forget that this is a market that is always volatile and very young. I am sure that the developers of Thorchain will do everything in their power to prevent this from happening in the future.
Teraboy
Hero Member
*****
Offline Offline

Activity: 2282
Merit: 505


View Profile
July 24, 2021, 02:28:26 PM
 #2

This is not the first time but two times thorchain got hacked and it's less than a month for the thorchain to be hacked agian for the second times.
Did you ever see ETC? There some platforms have been getting hacked for a few times. This is will be decreasing the trust by the users to the platform.
ninabobo
Full Member
***
Offline Offline

Activity: 463
Merit: 100



View Profile
July 25, 2021, 02:21:06 PM
 #3

It's really so bad how thorchain got hacked in two weeks, this looks suspicious and like an in house plan, well we can't actually conclude tho, if it's actually true that there where hacked this shows there did be so careless, the first hack supposed to serve as a lesson to them well so bad, this is more reason Near protocol stands out to make a difference, had it been thorchain was  built on Near protocol this couldn't have happened because there is actually a project call rainbow Bridge which wouldn't have let this happen because it was created to give solution to security bridging.

Cute Doggo
Newbie
*
Offline Offline

Activity: 27
Merit: 1


View Profile
July 25, 2021, 03:23:52 PM
 #4

Low cap projects have always a high risk to be hacked. Not only because requirements to compromise it are low, often techical code for such projects are not proven enough because low cap projects can't afford high quality developers and very important don't have a good peer to peer review.
Low cap projects are often a big experiment and people buying it will have a big risk to be affected of a flawly programmed code.
masterrex
Full Member
***
Offline Offline

Activity: 1820
Merit: 107



View Profile
July 25, 2021, 03:46:56 PM
 #5

It is a very unfortunate event, Imagine a platform that was hacked 2 times in two weeks? I see some red flags about it, I'm also not an expert but it has some motives that continuously playing in my mind, I don't understand why the developer took the risk when they already know that the platform was already compromised that's suspicious to me, although they already clarify it. But still many people are not contented with the reason including me. Just an opinion!
Coin-1
Legendary
*
Offline Offline

Activity: 2660
Merit: 2332



View Profile
July 25, 2021, 04:47:04 PM
 #6

What happened in Thorchain is truly terrible. But we must not forget that this is a market that is always volatile and very young. I am sure that the developers of Thorchain will do everything in their power to prevent this from happening in the future.

As far as I understand, the team is currently unable to find the critical issues exploited by these "white hat" hackers, so I wouldn't be surprised if the Thorchain DeFi protocol suffers the third sophisticated attack in the foreseeable future.

The team promised to take funds from the treasury and compensate all the victims involved. I just looked at Coingecko and noticed that the RUNE price has already dropped to $3.36.

The only thing the team can do is temporarily halt their ETH router and hire high-profile professionals and programmers to audit the source code of the Thorchain decentralized exchange. The main network must be protected from creating a fake router and Asgard.

In general, such serious altcoin hacks can hit the global cryptocurrency market. Sad
FlamingFingers
Sr. Member
****
Offline Offline

Activity: 1344
Merit: 288



View Profile
July 25, 2021, 04:48:59 PM
 #7

Low cap projects have always a high risk to be hacked. Not only because requirements to compromise it are low, often techical code for such projects are not proven enough because low cap projects can't afford high quality developers and very important don't have a good peer to peer review.
Low cap projects are often a big experiment and people buying it will have a big risk to be affected of a flawly programmed code.
Thorchain is not a low cap coin, a project of $920m market cap is no where regarded as low market cap project, any project can be hack, sushi was hacked despite being a strong top coin, when the creator returned $14m after the causing a huge crash, we've seen several hack from top coins and I think this might not be the end, as of Thorchain I ain't suprised about it, but I'm glad as they contain the whole panic

B.I.O.K.R.I.P.T|
  BiokriptX Fair Launch is now live in PINKSALE
|🟣 Twitter
🔵 Facebook
🟣 Telegram
nelson4lov
Hero Member
*****
Offline Offline

Activity: 2296
Merit: 830


🌀 Cosmic Casino


View Profile
July 25, 2021, 10:04:46 PM
 #8

Sorry to anyone who got affected in the thorchain hack. Aside from thorchain team disabling a number of features to mitigate the issue, there's a significant price dump after the news broke out about the hack. The fact that thorchain team just rushed to get their platform up and running - promoting features and neglecting security is a big turn off for me.

I had RUNE at some point but sold somewhere around the top (glad I did.). Now, I'm balls deep in near protocol and not sure I'd be moving on anytime soon considering it's one of the best projects I've come across in a long while. At near, the possibility of issues like this are super slim.

 
███████████████████████████
███████████████████████████
█████████▀▀████████████████
██████████████████████████
████████████▄▄▄███▀▀███████
██████████▄███▀▀██████████
██████████████▀████████████
█████▄▄█▀▄████▀▄██████████
████████▄█▀█████▀█████████
█████████████████████████
█████████████████████████
██████▄▄▄▄███████▄▄████████
███████████████████████████
███████████████████████████

 GALACTIX.io 


████
██
██
██
██
██
██
██
██
████

█▄
████████████████████
███████
█▀▀▀█
███▄▄▄███
███▀▀▀███
██
██████████
▀▀
█████▀▀█
███
▄█████▄▄▄███▄▄▄█████▄
█████████████████████

  QUEST  


████
██
██
██
██
██
██
██
██
████

▄▄▄███████▄▄▄
███████████████████████
▄██████████████████▄
▄███████████████████▄
▄███████████████████████▄
███████████████████████
████
███████████████████
████
███████████████████
▀███████████████████████▀
▀███████████████████▀
█████████████████████████

   3,000...
...
GAMES   
Dragonfund
Full Member
***
Offline Offline

Activity: 546
Merit: 148



View Profile
July 25, 2021, 10:50:32 PM
 #9

It is a very unfortunate event, Imagine a platform that was hacked 2 times in two weeks? I see some red flags about it, I'm also not an expert but it has some motives that continuously playing in my mind, I don't understand why the developer took the risk when they already know that the platform was already compromised that's suspicious to me, although they already clarify it. But still many people are not contented with the reason including me. Just an opinion!

But despite the hack and attack by hacker, people are still buying and I wonder the kind of mind some traders and investors possess. That's kind of stupid risk, not calculated one.
I didn't see this attempt coming towards Thor chain but I think the developers should have put a stop at disabling everything during the first attempt but they resume immediately as if nothing happens.
The hacker even made a gest of them saying line of codes doesn't need to be rush, they need to be reviewed, verified and carefully audited. It's painful to loose money this days and I felt bad for those affected.
WalkerIVIV
Hero Member
*****
Offline Offline

Activity: 2436
Merit: 503


Cryptocasino.com


View Profile
July 25, 2021, 11:10:54 PM
 #10

Low cap projects have always a high risk to be hacked. Not only because requirements to compromise it are low, often techical code for such projects are not proven enough because low cap projects can't afford high quality developers and very important don't have a good peer to peer review.
Low cap projects are often a big experiment and people buying it will have a big risk to be affected of a flawly programmed code.
Did you call this as a low cap? don't you even watch it on the CMC? thorchain was billion marketcap coin and it doesn't have low cap but this can be catagorized as the big cap coin. I think that you must try to find a good information about this. The second hack happened in a short time after the first hack. What the team was doing. It doesn't make sense for a billion cap project to be hacked easily.

RussianEnglishTranslation
Jr. Member
*
Offline Offline

Activity: 840
Merit: 6


View Profile
July 26, 2021, 06:18:43 AM
 #11

It sounds like an inside job, there are too many signs to ignore. One hack I understand but this is too much. The police need to be involved. If I were the Thorchain project managers I would integrate NEAR's rainbow bridge for ERC20s then integrate NEAR as a supported blockchain. That should solve the security problem.
casperBGD
Legendary
*
Offline Offline

Activity: 2156
Merit: 1151

Nil Satis Nisi Optimum


View Profile WWW
July 26, 2021, 06:42:02 AM
 #12

Low cap projects have always a high risk to be hacked. Not only because requirements to compromise it are low, often techical code for such projects are not proven enough because low cap projects can't afford high quality developers and very important don't have a good peer to peer review.
Low cap projects are often a big experiment and people buying it will have a big risk to be affected of a flawly programmed code.
Did you call this as a low cap? don't you even watch it on the CMC? thorchain was billion marketcap coin and it doesn't have low cap but this can be catagorized as the big cap coin. I think that you must try to find a good information about this. The second hack happened in a short time after the first hack. What the team was doing. It doesn't make sense for a billion cap project to be hacked easily.

agree, RUNE is far from low cap coin, capitalization is above $1B
on the other hand, they are now active on twitter, defending their right to be hacked, instead having all means deployed to build a solution, second hack was done by white hat hacker, that required bounty to get back funds, and proposed measures to improve protocol security
they should pause all LPs, and implement necessary improvements prior to continue, with contract audit as a required step to deploy pools on main-net

it is not enough to say that you are using protocol at your own risk, for a $1B project, that is way down
MSN02
Jr. Member
*
Offline Offline

Activity: 95
Merit: 2


View Profile
July 26, 2021, 07:33:46 AM
 #13

To me it seems a bit suspicious, could have even been an inside job. Whatever the case is using Aurora on NEAR protocol is proven, has world class developers working on it, and is secure. NEAR is working on more bridges but it already has the rainbow bridge bridging it to ethereum. NEAR has an everybody wins mentality and wants every project to get the benefits that NEAR offers while at the same time NEAR getting the benefits of the other projects. In light of this it’s clear to me that the developer team matter (NEARs is world class) and it has to have top backers  (NEAR has a lot but a couple ex coinbase and Pantera Capital) I believe that as crypto develops and mass adoption begins to accrue more and more of this will happen that’s why it’s important to know exactly what a project has and it’s track record. (Do your research) I’d recommend everyone look at NEAR, I personally love the project.
asriloni
Legendary
*
Offline Offline

Activity: 3234
Merit: 1033


Leading Crypto Sports Betting & Casino Platform


View Profile
July 26, 2021, 08:00:47 AM
 #14

The only billion project that was imputing the audit team. it seems like the audit already done only by the audit team and as far as I know this blockchain was using 3rd party to audit the code and then the team was not doing a collaboration to fix the bug. This is a very big problem that must be solved as soon as possible. Thor was loosing a lot of funds

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Daltonik
Legendary
*
Offline Offline

Activity: 2618
Merit: 1504


View Profile
July 27, 2021, 03:33:50 PM
 #15

The THORChain team announced the suspension of work after several hacker attacks, they also talk about working on strengthening security, they reported this on their Twitter.



  ▄███████████▄
▄███████████████▄
█████▀ ▄▄▄ ▀█████  ▄▄▄
█████ █████ █████ █████
█████ █████ █████ █████
█████ █████▄▄▄▄▄▄▄█████
█████ █████████████████
█████ █████▀▀▀▀▀▀▀█████
█████ █████ █████ █████
█████ █████ █████ █████
█████▄ ▀▀▀ ▄█████  ▀▀▀
▀███████████████▀
  ▀███████████▀
██████████████████████████
██████████████████████████
██████████████████████████
█████████████████████████
██████████████████████████
██████████████████████████
██████████████████████████
██████████████████████████
████████████████████████
██████████████████████████
█████████████████████████
██████████████████████████
██████████████████████████
 Chamby on 
 X.com   
Ceyflix-Rez
Member
**
Offline Offline

Activity: 420
Merit: 13

$CYBERCASH METAVERSE


View Profile
July 27, 2021, 03:51:47 PM
 #16

I think the teams are the ones to be blame for this, this project isn't that new anymore so I don't understand why they can't upgrade their security more and more often to get away from easy hacks it just show how irresponsible the teams are

Daltonik
Legendary
*
Offline Offline

Activity: 2618
Merit: 1504


View Profile
July 29, 2021, 09:01:34 AM
 #17

Since the THORChain hack, its price has recovered by more than 36% thanks to the measures taken by the development team, who took security audit specialists to identify vulnerabilities and created a $500,000 reward program for detecting errors. There was also a video where the mechanism used to hack THORChain is analyzed in detail


  ▄███████████▄
▄███████████████▄
█████▀ ▄▄▄ ▀█████  ▄▄▄
█████ █████ █████ █████
█████ █████ █████ █████
█████ █████▄▄▄▄▄▄▄█████
█████ █████████████████
█████ █████▀▀▀▀▀▀▀█████
█████ █████ █████ █████
█████ █████ █████ █████
█████▄ ▀▀▀ ▄█████  ▀▀▀
▀███████████████▀
  ▀███████████▀
██████████████████████████
██████████████████████████
██████████████████████████
█████████████████████████
██████████████████████████
██████████████████████████
██████████████████████████
██████████████████████████
████████████████████████
██████████████████████████
█████████████████████████
██████████████████████████
██████████████████████████
 Chamby on 
 X.com   
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!