$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.
A small logic bug in the Ethereum Bifröst caused a carefully-crafted ERC-20 to be mis-interpreted as ETH.ETH and swapped into the network.
Total funds stolen:
- – 9352,4874282 PERP
- – 1.43974743 YFI
- – 2437.936 SUSHI
- – 10.615 ETH
- Total value: ~$139k
The bug was that all non-ETH assets were being initialised with common.ETHAsset (ETH), but if the symbol returned “ETH”, it would skip. This means that it was being reported as ETH.ETH and not ETH.ETH-0xaddress.
The fix is to initialise the assets with common.EmptyAsset and return before handling ERC20s. This was merged.
Temporary Protection
The other issue that had to be dealt with was there were several pending attack transactions that had not yet been observed by THORChain, since the attacker continued their transactions after the network was halted. If the network was brought back online prior to processing the update, these transactions would have been processed, which would have been silly and a waste of funds. Logic was added to ignore these specific transactions, coming from specific addresses.
THORChain is run by consensus of the super-majority. If the super-majority choose to run code that can protect their capital (and LP’s capital, by consequence) from obvious attacks, then they will. LPs opt to put their capital in a network with a fixed ruleset — if the ruleset changes unfavourably via updates, then LPs can withdraw. Nodes choose to run code, if they are presented with an update they don’t agree with, they can not update (blocking the upgrade until they are churned due age) or LEAVE the network and not run it at all. Alternatively they can present a counter-update to the community that restores the rules they agree with.
Five transactions were made:
14.9 ETHOS for PERP
But 0 ETH in transaction:
https://etherscan.io/tx/0x966CB083D116DA2E0D1D115A99381DB2200BD39FF75D38CFAC DC17B1368F1159
14.1 ETHOS for PERP
https://etherscan.io/tx/0xB74F4860E24F04E9E32ACE36735285D518A8A36BF8E8DCC868D7 508BB60947C9
9.151 ETHOS for SUSHI
https://etherscan.io/tx/0xB56DF76D4BF1384DC2744692D744DE44EFADCEC7226C6255532 A0D1EBDB5ABCC
12.014 ETHOS for YFI
https://etherscan.io/tx/0x7CF72852118597E6FF65226A17EAE5A078B6DE7AF791A6324906 D9D456F2B1B6
11.872 ETHOS for YFI
https://etherscan.io/tx/0x514C90C817C270663513E91492D77E9F7282598F5AFC3711800E 311B6E00BE99
When they were approving ETH for trading, trading was halted. Then they tried to do one more transaction after trading was halted:
https://etherscan.io/tx/0xAE3FAB1E5CFAE0A04F25155EC9047CF0F99DF4DDF7DDA1F1351E D4720FA3C030
For which they got a refund of REAL ETH.
Discovery and Update
0 mins : Unusual transaction reported from users
5 mins : DEVs acknowledge it and let node operators know
20 mins : Nodes stop the network, super majority needed.
2h : Software fix
4h : Super majority of nodes updated / fixed
6h : Resume swaps
Recovery
- Restore solvency to the vaults (funded by the Treasury)
- Refund Node Operator Bonds that were slashed when the network was brought partially back online and didn’t have full consensus
- Pay the Bug Bounty to the reporting user
The community are looking for 30 days of no major bugs before mainnet. This classifies as a major bug, so the clocks are reset.
There is a scheduled TrailOfBits audit in 2 weeks, which will do a full code-review. THORChain team will continue finding and scheduling audits, especially since the code is being upgraded to service THORFi, which adds to the complexity theatre.
In addition the team will more prominently establish a bug bounty for finding and reporting bugs. Attackers will always have eyes on the code looking for loop holes. THORChain community can also incentivise this behaviour but favourably for the network.