- THORChain has suffered an exploit on Chaosnet, resulting in losses of roughly $5 million for ETH liquidity providers.
- The THORChain team said that an attacker tricked the network’s Bifröst protocol to send ETH to their own address.
- The liquidity providers will be reimbursed from the project’s treasury.
Share this article
THORChain is the latest DeFi attack victim.
THORChain Pauses Network After Attack
THORChain has been exploited.
The DeFi network, which focuses on cross-chain interoperability between protocols like Bitcoin and Ethereum, announced that an attacker had discovered a vulnerability on its Chaosnet.
Initial estimates suggested that the assailant had taken 13,000 ETH worth $24.7 million, though THORChain’s has since taken to Twitter to say that the losses were closer to $5 million.
Aside from the liquidity providers who had locked ETH in the network, THORChain investors have also been hard hit: RUNE, the protocol’s native token, is down 14.9% at the time of writing, trading under $5 for the first time since March.
In a tweet storm, THORChain explained how the attacker had taken the funds. The team said that they “tricked” the project’s Bifröst protocol with a custom wrapper contract, then made multiple transfers of 0 ETH. However, they sent a transaction that said that the value was 200 ETH and used a contract to direct the value back to their own address. They used the attack path multiple times over, meaning they could take millions of dollars worth of ETH.
THORChain has since explained that the attack only affected ETH liquidity providers. As the attacker paid high slippage fees, THORChain said, nodes, arbitrageurs, and liquidity providers for ERC-20 tokens should profit from the attack.
THORChain paused the network last night and confirmed that it would donate funds to the ETH pool to restore those the liquidity providers lost. It also said it would work with security firms to conduct an audit.