Cross-chain decentralized exchange THORChain has suffered its second multi-million-dollar hack in as many weeks, with $8 million worth of Ether impacted.
However, the attack appears to have been carried out by a white-hat hacker, with THORChain announcing the perpetrator had requested a 10% bounty. ETH will be halted until the code has been audited.
Liquidity providers impacted by the exploit will be subsidized using the project’s treasury funds
The whitehat requested a 10% bounty – which will be awarded if they reach out, and they should be encouraged to do so.
It is a tough time for the community and project, and the pain is real.
The treasury has the funds to cover, but it’s time to slow down.
— THORChain (@THORChain) July 23, 2021
The exchange — which is still in the middle of a staged beta launch called Chaosnet — conceded that the “complexity” of its state machine comprises THORChain’s “Archille’s heel,” however asserted that its issues “can be solved with more eyes on, as well as a re-think in developer procedures and peer-review.”
A screenshot shared from the project’s Discord forum appears to show a message forwarded to the project by the hack via transaction data.
The hacker claims they deliberately minimized the damage from the exploit in a bid to teach THORChain a lesson, stating: “Do not rush code that controls 9 figures,” and “Disable until audits are complete.”
The hacker adds that they could have stolen Ether, Bitcoin, Binance Coin, Lycancoin, and many BEP-20 tokens if they had wanted to, asserting that “multiple critical issues” were found and that a 10% bug bounty could have prevented the incident.
message from hacker… pic.twitter.com/1j8wOPcYHa
— zillaQuest!? (@zillaQuest) July 23, 2021
On July 16, Cointelegraph reported that THORChain had been halted after 4,000 Ether worth $7.6 million was drained from the protocol. The protocol unsuccessfully proposed a bug bounty to the hacker in exchange for returning the stolen funds.
Related: ChainSwap announces compensation and ‘deep audit’ plan after $8M exploit
The decentralized exchange also lost $140,000 in a separate exploit suffered last month.