MultiversX Tracker is Live!

Thorchain was hacked. The problem of bridges. Review.

All Cryptocurrencies

by COINS NEWS 351 Views

Guys, I understand that the news is not new. But I would like to tell you my thoughts and find out what you think.

Thorchain, the first hack occurred last week, which allowed hackers to steal 4000 ETH, the second case occurred already this week, the hacker was able to steal more than $8 million.

After the first hack, the project team had a choice, either to launch the protocol again, knowing about the possible risks, or to stop the blockchain for 6 months to conduct a full-fledged audit.

We know what we saw in the end. The team decided to take a risk, well, the risk was perceived by hackers as a challenge. As a result, we have a second hack, which has become even more destructive than the first.

The attacker took advantage of the refund vulnerability, here is the sequence of his actions. The network was halted during the attack, Refunds and LP withdrawals are still allowed. The attack can be named as Lack of proper multi-event handling. The hacker targeted a refund logic.

The simple attack steps:

• The attacker created fake router (Contract Address), than a deposit event emitted when the attacker sent ETH.

• The attacker passes returnVaultAssets() with a small amount of ETH, but the router is defined as an Asgard vault.

• On the Thorchain Router, its forwarding ETH to created fake Asgard.

• This creates a fake deposit event with a malicious memo.

• Thorchain Bifrost intercepts as a normal deposit and refunds to an attacker due to a bad memo definition.

Here’s what he managed to steal (~$8M USD) using such a simple logical chain.

966.62 ALCX

20,866,664.53 XRUNE

1,672,794.010 USDC

56,104 SUSHI

6.91 YEARN

990,137.46 USDT

What mistakes did the creators of Thorchain make?

I will say right away, my opinion is not expert and does not carry any negative assessment of the actions of the developers, I’m just expressing my thoughts. And so let’s get started.

The developers themselves admitted that their product is very difficult to implement, since it contains a large number of cross-chain options. Uniswap and other DEX, swap was implemented on Thorchain not using wrapped coins, but directly.

I mean, when you change BTC to LTC via BEPSwap, then you do not get wBTC or wLTC, as on UNI, but immediately change BTC to RUNE, and RUNE changes to LTC in automatic mode. This is a simplified example, everything is a little more complicated :)

The main mistake is that the developers have concentrated on a large number of blockchains. By creating opportunities for more flexible exchange, developers missed important security points, sometimes neglecting them in favor of easier use.

Thus, we have spaces in some moments of vulnerability. I really hope that the developers will fix their shortcomings, and the hacker who hacked Thorchain will show up and return all the funds.

What conclusions can we draw?

Despite a long period of time, the market of DeFi products and cryptocurrencies is still at the stage of its maturation, such situations have occurred and will continue to occur in the future.

But among all the options, you need to be able to find those opportunities that will be safer. I want to say now that you need to choose more carefully.

Here are the selection criteria I would suggest:

  1. The team has been developing for more than 10 years and has experience working in large companies;
  2. The team pursues ambitious goals and has really working products;
  3. Developers are focused on a few key things, rather than trying to keep up with all the features;
  4. There is a strong community;
  5. During the existence of the coin, it has not had any serious security problems;

What do you think about this?

submitted by /u/osmimsc
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
💰 Install these recommended apps:
💲 SocialGood - 100% Crypto Back on Everyday Shopping
💲 xPortal - The DeFi For The Next Billion
💲 CryptoTab Browser - Lightweight, fast, and ready to mine!
💰 Register on these recommended exchanges:
🟡 Binance🟡 Bitfinex🟡 Bitmart🟡 Bittrex🟡 Bitget
🟡 CoinEx🟡 Crypto.com🟡 Gate.io🟡 Huobi🟡 Kucoin.



Comments