Cross-chain decentralized exchange (DEX) THORChain has been attacked for the third time this year and the second time within a week.
THORChain posted the alert on its Twitter feed on July 23, just a week after it was exploited for $5 million in a flash loan attack.
The protocol stated that this time the figure lost was around $8 million and that the attack was carried out by a benevolent white-hat hacker that has requested a 10% bounty.
“THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat.”
THORChain confirmed that the attacker will be awarded the bounty requested if they reach out, and they should be encouraged to do so.
“It is a tough time for the community and project, and the pain is real. The treasury has the funds to cover, but it’s time to slow down.”
It stated that systems will be halted until the code can be fully audited. In a screenshot posted from THORChain’s Discord channel, the hacker claims to have purposely limited damages in a bid to teach the protocol a lesson. It stated: “Do not rush code that controls 9 figures,” and “Disable until audits are complete.”
The hacker also claimed that they could have taken Ethereum, Bitcoin, Binance Coin, Lycancoin, and other BEP-20 tokens if they had wanted to, adding that “multiple critical issues” were found. A 10% bug bounty would have prevented it, they added.
THORChain stated that the project is too important not to deliver on, adding:
“The complexity of the state machine is currently its archille’s heel, but this can be solved with more eyes on, as well as a re-think in developer procedures and peer-review.”
Protocol advocate and ShapeShift CEO Erik Voorhees remained pragmatic:
“Thorchain has had a horrible month, not going to sugar coat it. Bleh. The project needs to slow down. Time to take the tortoise strategy. Regardless, I remain a committed supporter, and am glad these issues are being discovered during chaosnet.”
On July 16, BeInCrypto reported that the DEX protocol was exploited using another router vulnerability in which it lost around $5 million. THORChain was also targeted by hackers in a June attack, costing it around $140,000.
RUNE price tanks again
THORChain’s native token, RUNE, dumped 27% from an intraday high of $4.80 to bottom out at $3.50 a few hours ago according to CoinGecko. The much-hyped token has now lost 38% over the past fortnight in the wake of the two incursions.
At the time of press, RUNE was trading at $3.84, down 81.5% from its May 19 all-time high of $20.87. According to DeFiLlama, THORChain’s total value locked was $101 million. It has lost 30% of its collateral since it peaked on July 7.