On July 15th, a hacker exploited a vulnerability in THORChain's cross-chain decentralized exchange, causing the loss of around 4000 ETH (7 million USD). The exchange was halted by the node operators and the price of its native token RUNE fell by nearly 20%.
This article will cover what THORChain is, how it was attacked, and go over some areas for improvement.
THORChain in a Nutshell
What makes THORChain a unique project is its ambitious goal to give users the freedom to trade cryptocurrencies without having to use a centralized exchange.
Currently, if you want to trade Bitcoin or Ethereum for some other cryptocurrency, you must open an account with a centralized exchange, such as Binance or KuCoin, where you deposit one asset, trade it, and withdraw another.
Decentralized exchanges do already exist, but only work within the confines of the blockchain they were built on. For example, Uniswap is Ethereum-specific and can only be used to trade ERC-20 tokens. Pankcakeswap is specific to Binance Smart Chain and can only handle BEP-20 tokens.
THORChain, on the other hand, is a cross-chain decentralized exchange that allows users to trade assets on one blockchain with assets on an entirely different blockchain. For example, you could trade Bitcoin directly for Ethereum, or Litecoin directly for Dogecoin, all without going through a centralized exchange.
With THORChain there's no need to upload your passport, drivers license, two photos, a hand written note, and dance like a monkey in front of the camera in order to trade. You also don't have to worry about some hacker breaking into the exchange's database and stealing your identity. Even better, billions of underprivileged people around the world who don't have government ID will be able to trade their digital assets freely.
People can use the exchange not only to trade assets, but they can also add liquidity to the network by depositing an equal dollar amount of one asset and RUNE. For example, you could deposit $1000 worth of Ethereum and $1000 worth of RUNE into a liquidity pool. And in return for providing this liquidity you would earn rewards, or swap fees, on your deposits.
The current version of the THORChain network is aptly called "Chaosnet". The developers have placed caps on the amount of liquidity users can provide and warned investors that it is a highly risky experiment. There are currently 38 active nodes and 23 on standby, with the ability to scale to hundreds. Anyone can become a node with a minimum RUNE bond.
So far, the team has successfully implemented native cross-chain trading for BTC, BNB, ETH, BCH, and LTC, with plans to add many more in the future. ShapeShift is the first exchange to integrate THORChain into their trading app.
Essentially the hacker was able to trick the ETH Bifrost component of THORChain into thinking they were depositing ETH when they were actually transferring zero. This attack repeated for 1-2 hours before the network was finally halted by the node operators.
According to the team's Twitter account, a well-known THORChain developer became aware of the attack and asked the node operators to issue the command "make halt" to temporarily shutdown the exchange and prevent further losses. 1/3 of the nodes voluntarily issued the command, reaching the required threshold to halt all operations.
First of all, let's consider the benefits of the project being open source and transparent. Hiding the attack would have been impossible given the fact that the exchange operates on a transparent, public blockchain. Compare this to a centralized exchange which could easily cover up an attack for weeks or months before informing their customers.
Also, the fact that the project is open source allows these attack vectors to be fixed more rapidly compared to closed-source alternatives. The team has already released a patch and has engaged professional security teams HalbornSecurity and TrailOfBits to further audit their code.
We must pose the question however, how decentralized is THORChain if a single developer can halt it by making an announcement? Only 1/3 of the nodes need to issue the "make halt" command and the entire network shuts down. This is by design, as the project is still in its early stages and needs to be prepared to respond to these types of attacks.
From a historical perspective, both Bitcoin and Ethereum had catastrophic faults in their early days, in which the community had to come together, patch their nodes, and restart the network. THORChain has only been operational for a couple of years and also needs time to mature.
Room For Improvement
The vast majority of active nodes on the network are hosted by either Amazon Web Services or Digital Ocean. Ideally they would be more equally distributed amongst many cloud computing providers, and preferably some nodes would be operated in private data centers, to enhance decentralization and security.
Having all nodes hosted on Amazon Web Services (AWS) or Digital Ocean would be problematic because both companies could hypothetically shut down all THORChain nodes simultaneously, similar to what AWS did to alternative news source Parler.
What better way to foster innovation and progress than through a little friendly competition? While THORChain was the first team to develop a cross-chain DEX, a couple of other groups (Sifchain and Swingby) have forked the code and gotten started on their own cross-chain projects.
Each project will learn from the mistakes of their competitors, resulting in the most optimal code and service for users. Investors should allocate a portion of their portfolio to each project, as they may all have a certain level of success in the future.
All publicity is good publicity. In the long run, THORChain will benefit from the extra attention is gets from this attack. More eyes on THORChain means more developers, bloggers and influencers paying it the attention it needs to grow.
The team handled the attack well. They were transparent about it on their social media, explained at a high level how the attack happened, and promptly published their action plan for moving forward.
One key rule of successful investing is to keep your emotions at bay. Anyone who purchased the RUNE token should have known full well that it was a risky investment and been prepared for setbacks and temporary losses. We must learn from our mistakes, accept our losses, and move on.
Both the team and community have shown great strength throughout these past few days. We all know that a functional cross-chain decentralized exchange is worth getting over these inevitable obstacles. THORChain will come out of this incident more resilient and be more prepared for mass adoption.
Disclaimer: A small portion of the author's portfolio is allocated to RUNE.