THORChain post-mortem: could they have prevented the hacks?

6 min readAug 15, 2021

Decentralized finance (DeFi) has quickly grown into a rich, versatile, and large place where, unfortunately, a lot of malicious characters lurk trying to get their grubby little hands on someone else’s assets. And they’re far from being unsuccessful. In 2020, hackers got away with an estimated $3.8 billion in crypto money through various hacks, rug pulls, evil contracts, and other exploits.

If this trend continues, who knows how much more they’re going to pinch in 2021.

These events are affecting the livelihood of millions of people who are losing their savings and investments this way. Investing into assets on the blockchain is nerve-wracking enough, without adding the worry about protocol hacks. For many, it’s still better to hold coins that go -90% than to lose those coins altogether.

Some of the most recent attacks were on THORChain, a protocol that facilitates token swapping between blockchains.

THORChain and its streak of bad luck

Founded by a pseudonymous team in a Binance hackathon in 2018, THORChain’s unique selling point is the next-level user experience it offers to everyone involved. One part of the protocol was launched in the summer of 2020, while the multichain version went live in April 2021 — which means this is not a recent project with little experience.

Since the beginning, THORChain has been ticking all the right DeFi boxes. It’s very decentralized and transparent, with weekly updates on Medium covering every stage of its development, as well as the monthly treasury reports. Its code was audited as many as seven times before the multichain launch. Every week its team works diligently on finding bugs and fixing them.

The protocol is based on Tendermint and Cosmos SDK and uses a proof-of-stake network, allowing users to supply and swap assets in continuous liquidity pools (CPLs). Pools are provided by liquidity thanks to holders, due to which they can receive rewards on swap fees.

THORChain’s team has been very open about the hacks that victimized it, detailing them all on its own incident page.

The July 15 hack

After the protocol was already hacked once in June 2020, when hackers stole $140,000 in assets, its bad luck continued, and on July 15, it happened again.

This time, the attacker exploited a bug in the ETH Bifrost (bridge) code by depositing 0, which was unexpected and caused a loop escape. Ironically, the code contains a comment that explicitly states that it is important not to leave this vulnerability open.

This oversight has cost THORChain dearly. The attacker withdrew $5 million in tokens, consisting of ETH and other ERC20 tokens, such as SUSHI, DODO, YFI, etc. THORChain’s operations were halted and resumed several times and updated to a new version intended to prevent this hack a couple of days later.

Schooled again on July 22

Sadly, the hack of July 15 was not the end of the nightmare for THORChain and its users. In another attack on July 22, the hackers got away with an even bigger piece of the cake — 8$ million in ERC20 tokens.

This time, they exploited a different part of the code, ‘returnVaultAssets’ on the ETH router contract. Essentially, the hacker got a refund for tokens they did not deposit by tricking the network into thinking they had deposited it. Apparently, they wanted to teach the company a lesson, as they left a memo, saying that the attack could’ve been much worse:

“Could have taken ETH, BTC, LYC, BNB, and BEP20s if waited

Wanted to teach lesson minimizing damage

Multiple critical issues

10% VAR bounty would have prevented this

Disable until audits are complete

Audits are not a nice to have

Do not rush code that controls 9 figures”

In short, the hacker was asking for a bounty that is 10% of the stolen funds. The company acknowledged that this was a “sophisticated attack” and that it needed “time to slow down”. For the time being, the network is chain-halted while the team is reviewing the code. After that, it will restore solvency and restart everything. No dates were specified for any of these stages.

Despite these horrific hacks, THORChain’s native token RUNE has managed to keep its head above water. Its price did experience drops right after the news of the hacks broke out both times, but has since recovered and currently trades at $7.21. Its fully diluted cap is around $2 billion.

How to avoid getting scammed?

Learning about hacks such as these probably has you thinking that there’s no safe space and that you should just stay away. However, things aren’t as bleak as they might seem and there are ways to protect yourself against becoming a victim if you’re considering investing in crypto:

  • Read through the ERC20 token code, checking for suspicious functions, like “mint” and “approve”.
  • Check the developers’ holdings, like the percentage of the token supply they hold, and make sure the token supply isn’t overly centralized.
  • Especially important in the case of yield farms, avoid those platforms with suspicious functions like “InCaseTokensGetStuck”. There’s absolutely no reason for this function to exist and it needs to be removed, period.
  • Make sure the project has been audited by reputable auditors, such as CertiK.
  • Avoid extremely high and unrealistic APYs.
  • Be cautious of anonymous teams.
  • Check the code for plagiarism, as a lot of scams are naked forks of other DeFi protocols with a new user base.
  • Look for hack-mitigation procedures implemented in the code, such as Lossless.

What is Lossless?

The first tool of its kind, Lossless tracks and detects hacks to help affected entities to recover their losses. It is simply a piece of code that token creators insert into their own to prevent exploits. Here’s how it works:

  1. Lossless freezes any fraudulent transactions based on several parameters to prevent major exploits from happening.
  2. The freeze is urgently deployed after the hack. Whoever identifies the hack and freezes the transaction is rewarded.
  3. Longer and permanent freezing takes place after the hack is verified by the Lossless committee which then carries out steps to reverse the fraudulent transaction.

To put it simply, this simple piece of code has an On/Off switch. This switch can be activated to prevent hacks and exit scams from happening and to freeze funds instantaneously. If a hack is confirmed, 7% of the funds are retained by the protocol. The best part? Two percent of the fee goes to the person who identified the hack.

Lossless is also working on creating an L-wrapping mechanism that will wrap popular tokens on DeFi protocols to enjoy the same security guarantees. L-ETH and L-BTC will soon start popping up everywhere.

If you ask me, I would feel way better about investing in a project that has implemented the Lossless code. Some protocols have already recognized the potential of Lossless as the best anti-hacking protection and have adopted the Lossless standard.

One of them is Brokoli Network (BRKL), the first climate-friendly DeFi ecosystem and the first DeFi project to make use of the Lossless anti-hack tool on all of its network’s smart contracts by default.

Opportunities mixed with risks

The DeFi market is a wonderful place, full of opportunities for everyone involved. However, it needs to address the volume of protocol exploits that are starting to happen increasingly more often and over short periods of time, stunting its growth. If the industry is ever to spread its wings, then Lossless and other fraud mitigation smart contract tools are needed to facilitate it.




World’s first unrivalled exploit identification and mitigation tools, designed to foolproof web3 from malicious activity.