THORChain Suffers a $7.8 million Dollar Attack. How a $1.4 billion Blockchain Behemoth Steadies the Ship.
THORChain Suffers a $7.8 million Dollar Attack. How a $1.4 billion Blockchain Behemoth Steadies the Ship.

THORChain Suffers a $7.8 million Dollar Attack. How a $1.4 billion Blockchain Behemoth Steadies the Ship.

By Rekt | Rekt Report | 3 Aug 2021

Two weeks ago, the #65th largest cryptocurrency, at the time, with a $1.4 billion dollar valuation, suffered a $7.8 dollar attack--amounting to about 4,000 Ethereum coins held on the blockchain.

Founded in 2018, THORChain is a cross-chain exchange that facilitates transactions between the Binance, Ethereum, and Bitcoin blockchains, aiding in a difficult problem of inter-blockchain swaps without being compelled to pay sizable fees each time. This represents a tremendous pain point and the efforts of THORChain have been well-received, pushing up a token from a low of $0.00851264, two years ago, to a high of $20.89 two months ago.

This stratospheric growth speaks to why cryptocurrency projects have seen price-to-earnings valuations of 200+ and, in the case of Coinbase, hitting 300 at their IPO. At this valuation if you made $100,000 for Coinbase as a salesperson, you delivered an astonishing $30,000,000 in value to shareholders.

No alt text provided for this image

For venture capitalists in the space, this is particularly powerful because if they had taken a meaningful position at anytime in 2018 and held until the peak two months ago they would have been able to make equal investments into 2500 other companies, of the same amount, have them all go belly up, and still remain a profitable fund.

If you go 1/2500 in your sales job then the likelihood of a handsome Christmas bonus is low. If you have a blockchain-focused seed fund and you exhibited "diamond hands" enough to hold on for dear life during violent volatility, you would be the toast of cocktail hours across Sand Hill Road and other VC watering holes the world over, positioning yourself well for a likely fully subscribed next funding round.

The bulk of THORChain's assets are "staked" by liquidity providers, who lend their assets in exchange for RUNE, the project's core crypto. So, for example, if you lend BTC and RUNE to one of the liquidity pools, you'll be earning both BTC and RUNE for transaction fees and system rewards as swaps are done on either side: BTC->RUNE & RUNE->BTC.

No alt text provided for this image

THORChain don't have assets synthetically tied to a price using an oracle, rather arbitrage trading bots and individuals, seeking to squeeze a profit from the price differences of an individual cryptocurrency on different blockchains, keep the liquidity pool's volume high in the midst of regularly large price swings. Passive liquidity providers earn a steady stream of rewards, often representing an APR of 10%+, even after technical considerations like "impermenant loss" that chips away at total return if the tokens, when removed from the liquidity pool, that aren't at 100% at the same radio value as when you first staked them.

Impermanent Loss Graph

These liquidity providers amount to a community, often of similar interests and expertise. The strength of a decentralized project lies in this community. These keepers of the gate occupy an important role as safeguarding the project's intellectual property, blockchain-secured assets, and critical decision making. This power is entrusted to their care as a result of distribution of the project's tokens, giving them sway in votes for measures, just as voting stock shares extend such privileges to equity owners.

While a single individual can be asleep at the wheel at an organization, the multitude of individuals steering the ship of a large cryptocurrency project have proven themselves to be often less likely to let something slip between their collective fingers. With many having a meaningful stake in the project's success, it's in their unified best interest to ensure the smooth sailing of a project en route to gaining greater traction and adoption. This upward clip of utilization, if achieved, bodes well for the project and, in turn, should be reflected in a higher token price for the underlying project.

Reddit is the home for long-form crypto discussion, Twitter for short-form, and Discord for internal communications within an organization. The beauty of the blockchain being a public ledger is that it's accessible by all to scrutinize and audit as they see fit to best satisfy their curiosity and comfort with the suitability of a project for investment. This amateur auditing is largely done by project proponents, but those with nefarious intentions are also eyeing possible exploits with this same level of intensity and attention to detail. Truth me told, many of these "black hat" coders are even more skillful coders than their "white hat" or "gray hat" counterparts, oftentimes giving these wolves the keys to the chicken coop and upper hand in exploit situations, like the one that just happened.

It's more expedient to extract a quick $8 million from a project you have no meaningful stake in than put in the time to community organize, pour over code, trumpet successes, evangelize use case innovations, and grow a project from its nascency and so these hackers embrace the worst in human nature and take the easy road to riches, to the detriment of the community, unfortunately.

When something does go afoul, the community is quick to respond, as you can see here with the bug ticket submission within the Discord for this 7-figure hack.

No alt text provided for this image

Such vigilance is imperative to cauterize the bleeding on a project, such as this, with vulnerable assets well into the millions of dollars.

For a physical bank robber, $1,000,000 in gold bullion bars would weight 48 pounds. This same $1,000,000 on the blockchain necessitates a few clicks, can be done almost entirely obfuscated, and are largely carried out via double-jump VPN systems that auto-incinerate their logging records, which would have been critical to piecing together the investigative breadcrumbs beyond what is visible on the public blockchain.

No alt text provided for this image

When an exploit happens, it's largely embarrassing to the leadership that must stomach the relentless criticism for those that saw a drop in the value of their investment. These hard-earned dollars lost are painfully felt, and investors are happy to pass the pain onto those they deem to be culpable either through their negligence, lack of foresight, or--as happens often--opens them up to suspicion as having orchestrated an inside job, known as an internal rug pull.

It's for the precedent set by so many unscrupulous precursor projects that all future projects have to undergo scrutiny that can only be defined as reasonable given the track record of the ecosystem and number of offending projects. Some blockchains are more brazen offenders than others. What it really comes down to, however, is that when actions don't have consequences felt on an individual basis then decision-making can take a dangerous turn to squeeze short term gains out of what would most ideally be long-term visions, charting a course for healthy growth for a ambitious project's growth horizons.

While many are quick to dismiss THORChain has ill-prepared for this insidious exploit, the fact is that many of their safeguards actually did much to temper the tide.

No alt text provided for this image

While it's natural to want to grab one's pitchforks and go after foundational developers, in this instance it appears that the "guarded launch" approach was deftly implemented on the onset, and while the hackers made away with a sizable ransom, these preventative measures did much to arrest what could have been further damage.

No alt text provided for this image

For those new to the space, Chris Blec is one of the most well-regarded decentralized finance watchdogs, with 23,700 followers, including the most influential project leaders in the space. For a niche industry, this is an enormous following. Chris was kind enough to answer questions for this article, amidst his busy schedule of crafting compelling video content, informative Twitter tweets, and churning out some highly listenable crypto podcasts.

No alt text provided for this image

Chris references Layer-2 solutions and trustless tech in his answers. A Layer-2 solution is a network or technology that operates on top of an underlying blockchain protocol to improve its scalability and efficiency. The most widely known cryptocurrency, Bitcoin, is a Layer-1 network, and the "Lightning Network" is a Layer-2 solution built to improve transaction speeds on the Bitcoin network. A trustless system just means that the participants involved do not need to know or trust each other or a third party for the system to function. In this defined trustless environment, there is no single entity that has total authority over the system, and consensus, allowing a function to happen, is achieved without participants having to know or trust anything other than the blockchain itself.

Q: What is the danger in allowing whales, through the Proof-of-Stake/Bond type of approach to securing the blockchain, to control the voting processes and revving up and turning off of nodes to a blockchain?

CB: "If you're talking about Ethereum's Proof-of-Stake (POS), for instance, the biggest danger there is that Proof-of-Stake basically equates to money, greed, and wealth running the validation network of blocks.

So validation of blocks is happening based on a consensus vote from the biggest validators and the biggest validators are the wealthiest, the biggest, the richest, the corporations, the ones with the most invested in the protocol.

Their incentives might not always match up with what's best for the chain. So, for instance, if one day in the future, Goldman Sachs bank becomes a huge validator on Ethereum. The question becomes is their incentive always going to be stronger to protect the network than it is to attack it? We don't know the answer to that.

We hope, and we assume, that it would always be in their best interest to protect the network, to not get slashed, to protect their own interests on the network. But these huge corporations that are most likely to become the biggest stakers, the biggest validators, they have a lot of other corporate interests outside of the Ethereum network so we don't know what the future holds. We don't know how big of a world Goldman Sachs is going to be living in when it becomes a validator on Ethereum. And, of course, it's hard people to imagine, like Goldman Sachs or JP Morgan or, or even the U S government becoming like, we don't know, like five years from now, the U S government could be the biggest validator on Ethereum. What do we do then?

We know that the U S government is not fully incentivized to protect the Ethereum network at all time, but we've left ourselves open to that kind of problem by moving to Proof-of-Stake."

Q: Do you think there should be a concerted effort on behalf of the community to champ down on words like "decentralized," if the project is not delivering on the meaning of the word in their blockchain’s technical architecture?

CB: "Decentralized is a vague term. It's a spectrum and there's no absolute decentralization. There's no absolute centralization. Even Bitcoin is not a hundred percent decentralized, but it's the best that we have. So using Bitcoin, as the decentralization benchmark, is a fair thing to do, but when a project uses the term "decentralization" and "decentralized,", it's a subjective term, a little bit

Now, if Coinbase says they're decentralized will we voice opposition? Yes, because I think it's pretty clear to everybody that they're much closer to what we know as centralized in financed space versus decentralized, which would be Bitcoin. But for a lot of projects on Ethereum, it gets into that gray area where there's somewhere in the middle.

I think it's fair for people to push back if they feel like the term is being abused, but it'd be very difficult to have any kind of rule or metric or any kind of law about how the term could be used."

Q: Do you see the DeFi being built on Bitcoin as potentially impactful as the DeFi that is currently being built on Ethereum presently is?

CB: "It certainly could be, and here's the reason why: the one thing that's unique about DeFi on Ethereum is that it can be built directly on Ethereum on the base layer, and it can be built trustlessly on the base layer, but DeFi on Ethereum has not embraced that idea. And most DeFi on Ethereum has not been trustless. It's really relied on permissionlessness as its unique selling proposition, and it's abandoned the idea of trustworthiness for the most part.

The problem is when you rely just on permissionlessness, it becomes very easy for other chains to replicate that without your strong base layer validation, that's why Binance Smart Chain, Polygon, and others have been able to compete, because they don't need a trustless mechanism to compete, because they're really just competing on what Ethereum DeFi has prioritized, which is permissionlessness.

When it comes to Bitcoin, it absolutely can compete. Once a Layer-2 is built that gains adoption, like TBD, which is being built by Jack Dorsey and others, that has real potential, just another Layer-2, just like Polygon, but on top of Bitcoin.

So why not, right? If you can have that Layer-2, if you can send your Bitcoin across a bridge to get there, if you can have stablecoins and you can have other coins on this Layer-2, that's programmable, just like Ethereum, why wouldn't it compete? I don't see a reason why it wouldn't. It might even overtake DeFi on Ethereum, if it can gain enough adoption.

And again, if it wants to win this battle, it would need to focus on trustlessness on the base layer, which Bitcoin can not do easily with DeFi. Bitcoin can have trustless Bitcoin, obviously, but it can't have trustless DeFi on its base layer at this time. So it has to rely on a Layer-2. Ethereum is not going down that road so I think that if they're going to face a lot of competition that they otherwise might not have needed to face."

Q: You have shown yourself to bravely call out lead dev teams of powerful projects for their sloppy security standards and have been met with an avalanche of abuse from these same devs, bots, and proxy accounts. How important is watchdog work by visible influencers to limit the rug pulls for those entering the ecosystem?

CB: "Thank you. The main focus of my work is on transparency. And there are others out there that are really focusing on each individual project and looking for specific things that people need to be worried about, and that's really valuable stuff too. To limit people, getting into bad situations. But my focus has been on transparency and letting users get access to the information that they need to make their own risk assessment with our own brain, right? Because I think everybody's got a different risk tolerance. So if somebody wants to participate with a reckless piece of garbage, insecure DeFi project, I don't really care if they want to do that as long as they know, and they have the information they need to understand that it's reckless and insecure and crappy in general.

So, I think that transparency is really the number one thing. Now, obviously, a scam is not going to be transparent, so scammy projects are not going to be transparent. So we still need people out there who are looking for crimes that are happening in that sense. But I do think that if every DeFi project were responsible and they provided transparency or users expected it and got it from reputable projects then maybe from projects that are less reputable and they didn't get it at least when they're not getting the transparency, they know they're not getting the transparency and they can take that into consideration when they're trying to assess the risk. But, either way, I think there's two categories here, and that's transparency and then there's, there's the actual watchdog-like crime investigation stuff that's going on with scams. I think those two things are very important going forward."

Q: The tone by project leads getting in your face for innocently putting spotlights on blatantly visible exploits has been disquieting and would not be tolerated by a C-level executive operating on Wall Street, even though many crypto projects have market capitalizations well in excess of even NYSE-listed companies. Why do you think so many of these devs fly off the handle rather than embrace the decorum that would best bode well for their project in the long run, and what, as a community, can we do to promote greater civility in addressing and fostering these discussions.

CB: "I don't think they're behaving that much differently from a Wall Street executive. And the reason is that I'm not asking questions that they can defend against. I'm asking questions that they have no good answer to, because I want to raise the awareness of that fact with users. I want users to understand that there are questions outstanding about the security of these projects that even the developers don't have answers to.

They don't have good solutions for. And when I ask those questions to the project, for them to respond, they would have to admit that. But for them to admit that would, in their eyes make, them look bad to users, investors, et cetera. The right way to respond would be to say, you know what, Chris, you're right.

You're raising a very important issue that we don't yet have the answer to. And we would like to, over the next few months or years even, work towards a resolution on that for now, we don't have a good answer and we acknowledge that, and this is not a perfect situation, but we'll get there eventually, but we're not even getting that.

So I think it's a lot of it is immaturity and just fear of looking bad if they don't have all the answers, but again, I don't think it's that different from if you ask a wall street executive, or a politician or anybody who is in charge of anything a question they don't have a good answer to, nine times out of ten, they're just going to ignore the question. You would hope that DeFi would be different, but it's proving itself to be the same as those other black box type of industries. Unfortunate."

Q: Speaking on a large-scale ecosystem basis, do you think projects should strive to achieve true decentralization and fork to deal with the exploits, a la Ethereum and Ethereum Classic, or must every DeFi project have some circuit breaker of some sort, behind a multi-sig, community of nodes, or DAO-based community-centric solution to stabilize periods of instability?

CB: "So this depends on the goal of the project and the complexity of the project. I do believe that any project that launches in a centralized fashion with a multisig or with a tight knit community of nodes is going to have a much harder time fully decentralizing than a project that launches fully decentralized, fully trustless. So we have yet to see a project that didn't launch trustlessly become fully trustless, and there's a lot of reasons for that, but the most important one is that trustlessness and decentralization are much messier, much slower, much less profitable than centralization.

So once a project starts in a centralized state for them to give up profit, give up speed, give up efficiency, give up all that stuff that comes with the centralization, it gets very, very difficult, especially when they have investors that they owe a return on their investment to.

So I'm much more in favor of projects, launching trustlessly without multisigs, without DAOs, without nodes, if they can, and then upgrading users to new versions when needed. A lot of projects that are just way too complex to do that. So when you look at something like THORChain, due to the complexity of their project, they probably can never reach a point of full trustlessness, where they don't have the nodes, just because of how complex their system is. I could be wrong about that, but based on what I know, I don't think they could ever become Uniswap-level trustless.

So it really depends on their goal, but again, I always, lean towards projects that launch trustlessly and aim to stay trustless and stay decentralized over their lifetime. And then migrate users from one version to the next, when they want to make upgrades and make improvements."

Thanks, Chris. You're an asset to the ecosystem.

In my dealings with the devs of THORChain, I can stay that they have been far more forthright than any project I've interacted in the eye of the storm during a challenging time. Even in the midst of what many perceive to be a four alarm fire, the team was good enough to get back to me on the questions I had, promptly.

Q: THORChain has taken painstaking efforts to amass a sizable treasury reserve to make LPs victims of exploits whole. Why was this a priority to your dev team?

THORChain Team: "During chaos, it is necessary to assure users that their contributions of capital are protected, since the risk is high."

The noted DeFi watchdog Chris Blec, famously tough on crypto projects, said of the exploit: “Keep in mind - THORchain has been responsibly using a guarded launch approach to its rollout. This exploit could have been much worse if they had just recklessly launched without caps on its liquidity pools.” What about a guarded launch approach spoke to you when you crafted the project’s technical architecture?

TCT: "At THORChain, it [was] necessary since it needs to scale its security."

What was the timeline between when the first dev was made aware of the exploit—either by emilyrutherford in the discord’s bug section or independent of this—and when the nodes went offline?

TCT: "Around 30 minutes."

How important is the node delegate vote to pull the circuit breaker on the blockchain to plug the levy of possible leaks to other blockchains?

TCT: "1/3rd of nodes are needed to halt the network. Soon, 2/3rds will be able to halt a specific chain."

How would have the auto-solvency checker have halted the network within 1-2 minutes versus 2-3 hours, for the lay reader?

TCT: "The auto-solvency checker allows nodes to report on the solvency of the network continually, if consensus is reached that it is insolvent, then it can halt that chain."

You mentioned in a tweet that “When a centralized exchange is hacked, users don't find out [until] months later [when] their withdrawals are blocked or delayed” Speaking on a large-scale ecosystem basis, do you think projects should strive to achieve true decentralization, independent of exploits, and fork to deal with the exploits, a la Ethereum and Ethereum Classic, or must every DeFi project have some circuit breaker of some sort, behind a multi-sig, community of nodes, or community-centric solution to stabilize periods of instability?

TCT: "THORChain is a live network with funds only a few seconds away from withdrawal at any time, so it must be well-equipped to protect capital."

THORChain is well-known for generous bug bounties and regular, exhaustive audits. How important are these penetration test professionals and white hat hackers to the on-going efforts to practice good code hygiene?

TCT: "It is important and will be funded for the next 12 months as planned obsolescence is achieved."

For all that THORChain has been perceived to have done wrong, they have done a great deal right through all of this, especially with having a $100 million dollar reserve fund, being rightly dipped into to make all affected parties whole.


No alt text provided for this image   The project has seen a 31.6% drop over the last 7 days, with much of the movement happening as the events of the exploit became known on a more widespread basis. You can determine, based on your own internal due diligence, if this represents an appropriate repricing.

Projects equipped to weather the storm of unforeseen exploits with an insurance fund of some variety, rather than doing a "haircut" of all users assets across the platform, so everyone suffers together by decree, have faired better in the long-term and are to be commended for their responsible forethought.

No matter what organizational size you're heading, problems will occur, and it's how responsibly you face these challenges that determines the caliber of your leadership, forged in the uncomfortable crucible of crisis, and the longevity of the organization.


For more interviews like this one with the THORChain official team developers, key DeFi/blockchain watchdogs, and influential crypto commentators, remember to subscribe to this newsletter.

Look out for a forthcoming Part 2 of this story, discussing the chain of events from the eyes of those that experienced it most intimately, the major players in this ecosystem attempting to piece together the technical puzzle pieces, and whale-level investors attempting to profitably traverse these frothy waters.

Check out my newest Blockchain Book, free with Kindle Unlimited: DAO: The Time is Now.

Subscribe to my LinkedIn Blockchain Newsletter! 915 weekly readers strong!


No alt text provided for this image

How do you rate this article?




Hard-hitting crypto reporter on the blockchain beat.

Rekt Report
Rekt Report

Delivering the Publish0x Community with Crypto News.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.