The THORChain Hack of 07/2021

By fabio- | fabio | 17 Jul 2021

On July 15th, The THORChain network has suffered a severe hack. At a first estimate, an uncertain amount of ETH was stolen from the LPs (liquidity pools), with initial news pointing out to a value as high as 13,000 ETH (summing up a whopping $26 million).

The team's response was immediate: trading was halted to identify the issue, and every LPer (Liquidity Provider) was assured that the stolen coins would be refunded via the treasury.

After a thorough investigation, the losses summed up approximately $4.9 million. The nodes are currently updating their software to a new version, fixing the bug, LPers will have their funds reimbursed, and shortly, everything will be running again.

What is the lesson to be learned here?


What is THORChain?


For those of you unfamiliar with THORChain, it is possibly the next big thing in DeFi. Let me give you a brief overview: it is a decentralised cross-chain liquidity protocol. And what the hell is that? Basically, it is a decentralized exchange (DEx) that allows trades in their native blockchains, while using RUNE as the settlement currency. Want to swap BTC for ETH while keeping your keys? No problem, just create a wallet, send your BTC to it, swap it to ETH, and voilà!

Without THORChain, for said trade, your main alternative is a Centralized Exchange (CEx), where there is the usual KYC and counterparty risk. I'm sure you are familiar with the motto: "Not your keys, not your coins". Depending on the exchange, you might also run into low volumes of liquidity, and if you want a huge trade directly via the platform without OTC trading (over the counter), you are in for some nice price slippage.

The inbetween alternative is an atomic swap, where the trade takes place in a P2P fashion. That has other complications, since you have to agree on the price and on the quantity. With THORChain, you have to agree on neither. The roles perfectly balance each other out to create a great environment. I'll be sure to make a post sometime soon going into more detail, but you can find a great explanation in the docs:

Sure, there are also some nice DExes out there, such as Uniswap. How is THORChain different? The main difference lies in it being cross-chain. Other DExes are single-chain, and you can use it as long as the bridge between the coins is available. But that is another big risk in itself.

Before we go any further, I'd like to highlight some things regarding THORChain:

  • The developers are anonymous, but transparency is key. Treasury reports are published monthly, and the code is open-source.
  • The code has been audited over 7 times, by well-known firms such as CertiK.

So how the hell does an attack like that take place? Some things need to be considered carefully.

Crypto is a whole new business model

The entire cryptospace is extremely new. If we consider the creation of Bitcoin in 2009, that would sum up to a little over 12 years. One could argue that it is in fact a lot less than that. Take into account the learning curve, where the majority of people first came into contact with it only several years later, and then approached it with caution and mistrust. It took a long time to escape this scenario (did we??), and for others to see the potential not only in Bitcoin, but in Blockchain technologies. Ethereum was only released in 2015, and I firmly believe that we are still only scratching the surface of all the possibilities in the crypto domain.

And where does that leave us? At risk, of course!

The traditional markets as we know of, be they financial or not, have been battle-tested for centuries. It took a long time for people to create new instruments that seem almost trivial today. Take for example a stock: the possibility of purchasing a share of a company is something that goes back to the 1600's in Amsterdam, by purchasing shares of the Dutch East India Company.

A crypto project in itself is also a sort of business. It is a software project with a purpose and goal in the real world. And you can partake in it by purchasing coins, mining/staking/pooling, or even joining the development/community. The main difference in my opinion between a crypto project and a company lies in the transparency and openness. Let me be clear: I'm not talking about outright scams that have no real value nor purpose. I have also written an article about it regarding what the red flags of crypto are, to identify said projects, by the way:

So, regarding the attributes I mentioned, let me use a traditional business as an opposing example. Consider a company. A badly managed one, even. Let's say an usual office company that sells paper (a barely hidden reference, ahem). It can be viewed by two perspectives: the public perspective: the company website, the services it offers, its publicly-traded stocks (if listed), its physical building, etc. And, the private perspective: how employees are treated, the problems it faces, the internal sales goals, etc.

Now let's say that this office company has suffered a severe ransomware attack due to its lack of attention to data security: a problem in the private domain. So what happens to the company in the public domain? That depends on how it deals with this fact, and even whether if it decides to make it public. Let's disregard legal affairs for the moment, especially if it is a publicly-traded company. It can choose to absorb the damage internally, and even try to pretend the event never happened! Its customers keep receiving the paper they're buying, the website is fully functional, and the building is still standing right there. The company treasury has suffered heavily, and surely the bonuses will be diminished this year, but the customers don't even have to deal with this piece of information.

You might have noticed where I'm getting at here: crypto projects have no private domain. Everything's public. The software is open source (for most projects), and the trust its clients have in using it is directly correlated with how well it provides this degree of transparency. Once it is live, it's an entity that in itself is only as valuable as the size of its network. The trust does not lie in a single group of people, but in its vast number of users. In being a client of the product, you are also purchasing in a way a share of the company itself (how else would the insane price multiples come from?). It's the magic of decentralization.

But this magic of decentralization is still an infant. Problems like hacks will continue to happen with several projects that have been audited dozens of times, with open-source software and in ways that can break them for good. Bitcoin has had code problems in its early days of massive inflation. Even Ethereum that is a great framework for new tokens to develop on top of the network has had the massive hack and subsequent fork that generated Ethereum Classic!

Crypto projects need nothing but a lot of time. Incidents will happen, and they can happen to every coin out there. Yes, even Bitcoin! Just like aviation, how did planes get so safe? By, well... falling. Because several accidents happened in the past and due to the work in mitigating and reducing the risk of the same accident happening again. Only in this manner can this class of problem be approached. It's a problem of an unknown unknown: a black swan event cannot be predicted.

Add to that another meaningful detail. Consider a bank that has its vaults in the middle of the street. It's a transparent vault, so you can see all the money that's been deposited inside it. The lock is also visible, and it has an intricate mechanism that shows exactly the code it's running. This is a liquidity pool. Crypto projects have a lot of public exposure. This entices criminals to try whatever means available to get a portion of this sweet pie.

Too big a risk?

Let me summarize my findings thus far. It is a new business model that must be transparent about everything. Its transparent vaults are located in the open, and we know that the risks exist, but we have no idea what they will be! What does one do to approach this scenario?

Let's first consider the project perspective. Say you were put in charge of securing this vault. Several things could be done:

  • Hire some specialized firms (or individuals) to assess how secure the lock is, and make changes as needed to add more layers of security to it.
  • Limit how much money can be added to the vault, so that if someone manages to break through the lock, the amount of money available is limited. Increase the limit as your perception of security increases.
  • Create a treasury or an emergency fund, that can be accessed to reduce or possibly eliminate whatever unknown damages come your way.
  • Learn from the attacks and improve your business.

Well, the THORChain team did all of those! The project is only 2 years old, and we are still in what's called the Chaosnet. That means we are exactly where this sort of problem can happen, and the project gets stronger the more battles it faces.

Now we take a look at the investor perspective.

For the regular investor, one alternative is to choose not to approach the dangers of the Chaosnet altogether. If the risk of ruin is too great, perhaps it is not one worth taking. As Nassim Taleb put it brilliantly in Fooled by Randomness:

Imagine an eccentric (and bored) tycoon offering you $10 million to play Russian roulette, i.e. to put a revolver containing one bullet in the six available chambers to your head and pull the trigger. Each realization would count as one history, for a total of six possible histories of equal probabilities. Five out of these six histories would lead to enrichment; one would lead to a statistic, that is, an obituary with an embarrassing (but certainly original) cause of death. The problem is that only one of the histories is observed in reality; and the winner of $10 million would elicit the admiration and praise of some fatuous journalist.

If you don't want to be on the losing end of playing such a game, the choice of staying out is always available.

There is however a better alternative, and that lies in diversification. An investor should never go all-in on anything.

The price of $RUNE, the settlement currency of THORChain, has taken a dip, as expected. I dare not give any price predictions as to where it is headed, since the market is in anyway still so heavily correlated to Bitcoin. In the long run, however, I believe the scarcity and value it provides will define its true price.

If you have $RUNE or are considering investing into it, there is possibly no better time than now. After all, you can't bring back home the spoils of war if you don't go to it! If you prefer to wait for the Mainnet, I hope to see you in the future. I for one believe in the great potential of THORChain and the problems it sought out to solve and did so brilliantly. DExes have become fundamental parts of the crypto universe, and our individual freedoms will depend on our financial freedoms.

Thank you for your attention!

This is not financial advice, always DYOR. Tips are not necessary, but appreciated.

How do you rate this article?



Hi! I'm a crypto enthusiast.


Hi! I'm Fabio and this is a blog for my crypto ideas. Hope you enjoy!

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.