If you want more cryptocurrency analysis including full-length research reports, trading signals, and social media sentiment analysis, use the code "Publish0x" when subscribing to CryptoEQ.io to make your first month of CryptoEQ just $10! Or simply click the button above!
THORChain is inherently complex, including over a hundred thousand lines of code per their documentation. The network has many different working parts with much of its technology (such as the cross-chain bridging) comes with novel assumptions. Early audits of the protocol found multiple “critical” issues within the code’s functionality.
These critical vulnerabilities ended up being exploited in a trifecta of hacks that occurred during the summer of 2021. In late June of 2021, a hacker managed to steal $140,000 in funds. At the time, this was a small hack and did not lead to any catastrophic loss of capital or investor confidence, but it demonstrated that THORChain’s complex underlying code had exploitable issues. Instead of addressing the problem directly, the THORChain team dismissed the breach as only “a small amount” compared to other hacks.
So, THORChain effectively did nothing to counteract the exploitable faults in any depth. This led to follow-up attacks on the network. Following the June 2021 hack, the network was hit two additional times - one for $7 million and another for $11 million for a total loss of $18 million in assets.
These two hacks were reportedly carried out by the same individual. The hacker sent a message within the transaction data that stated the following:
With the hacker’s transaction message in mind, it appeared as though the hacker intentionally limited the damage conducted during the two network attacks. After investigations were conducted on the breaches, it was found that the hacker could have taken a significantly higher amount of capital and effectively stripped entire pools of liquidity.
It was partially admitted that the project went ahead and launched prior to the code being fully audited and reviewed to avoid delaying the project’s road map. The two breaches were a wake up call to THORChain and led to the protocol waiting for in-depth third-party audits to be conducted on the network’s code. THORChain now holds a 93-rated security score from the third-party auditing company Certik.
So, to sum up, the three hacks on THORChain:
- The project rushed the code and neglected to wait for audits to deploy THORChain on the market faster
- The first hacker found an exploit and stole funds, which was dismissed by the THORChain team
- A second hacker stole $18 million in funds in a purposefully limited attack, sending a message directly to the team to “not rush code.”
- THORChain took the opportunity to conduct full-scale audits and correct any bugs but only after three separate attacks.
External Market Risks
THORChain took a step forward in utilization with the March integration of Terra Luna, which gave THORChain natives access to the TerraUSD (UST) stablecoin. After Terra’s inception into THORChain, it had grown to one of the largest pools behind Bitcoin & Ethereum prior to its collapse. UST had originally given THORChain the title of the holy trinity, especially considering the assumed advantages of a decentralized, on-chain collateralized stablecoin in UST.
On May 9th, the cryptocurrency market began experiencing selling pressure which led to a significant decline in LUNA and in Bitcoin. This created a massive problem for Terra as it held Bitcoin as reserves for UST, and price decline in LUNA creating a loss-of-confidence event in UST. As selling occurred, it depegged the price of UST. This only reinforced fears and created a negative feedback loop that eventually led to the collapse of both the UST token and LUNA token.
The collapse of Terra outlined the potential dangers of integrating new chains onto the THORChain network. Though not indicative of any problems with THORChain directly, it does demonstrate that inherent market risks within the cryptocurrency space can still be passed through to other protocols like THORChain. Of course, this risk is shared by other exchanges (both CEXs and DEXs) as they hold liquidity of these projects. The main takeaway though is the elevated risk for nodes. Because nodes must run full nodes of all approved chains integrated on THORChain, node operators experienced a double loss of capital and resources that were dedicated to running a Terra Luna node.