Popular cross-chain liquidity exchange THORChain got compromised in a new DeFi hack where $7.6 million were stolen, suffering a second security breach in less than a month.
THORChain announced the security breach on Twitter and initially estimated the loss at about 13,000 ETH (around $25 million). Later, however, this was revised on Twitter, with the project claiming, “At this stage, the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be made whole in the coming weeks.”
According to the project team, attackers exploited the vulnerability in the Bifrost protocol which allowed them to redirect ETH tokens to their own accounts. Bifrost is a multi-chain DeFi protocol that enables multichain connectivity by building a bridge between blockchains. Bifrost ETH was recently updated for better composability.
In the THORChain community Telegram channel, administrators have suggested the project has the funds needed to cover users’ stolen assets but articulated a preference for the hacker to return the stolen funds in exchange for a bug bounty.
“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched & the network resumes.”
As a precautionary measure, THORChain paused its network, with the team assuring users that only liquidity providers were affected. THORChain has since tweeted that its preliminary roadmap to recovery is underway, announcing that after the flaw is patched and the network is restarted, Ether will be donated to liquidity provider pools to reimburse impacted users. Thereon, the team plans to engage security firms to have its contracts audited.
Today’s attack is not the first time THORChain has been targeted by hackers, during its Chaosnet deployment, it had lost around $140,000 worth of assets over the previous month. At the time, the project had claimed it was “very mature and resilient.”