{"id":46780,"date":"2021-07-27T18:10:01","date_gmt":"2021-07-27T15:10:01","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=46780"},"modified":"2025-09-01T18:07:10","modified_gmt":"2025-09-01T15:07:10","slug":"thorchain-halts-operations-after-a-string-of-hacker-attacks","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/thorchain-halts-operations-after-a-string-of-hacker-attacks\/","title":{"rendered":"THORChain halts operations after a string of hacker attacks"},"content":{"rendered":"<p>The THORChain protocol team announced a halt to operations after several hacker attacks.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">THORChain is the only decentralised liquidity network* <\/p>\n<p>*currently paused.<\/p>\n<p>But it&#8217;s about to become the most secure, only decentralised liquidity network.<\/p>\n<p>THORChads are insanely focussed right now on nailing this. <\/p>\n<p>And they deliver.<\/p>\n<p>\u2014 THORChain (@THORChain) <a href=\\\"https:\/\/twitter.com\/THORChain\/status\/1419999942584659973?ref_src=twsrc%5Etfw\\\">July 27, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>During <a href=\"https:\/\/u1f987.com\/en\/news\/thorchain-defi-protocol-halted-after-hacker-attack\">first<\/a> attack, attackers managed to deceive the Bifrost service, which is responsible for connecting nodes to blockchains and implementing witness transactions.<\/p>\n<p>Several days later the protocol <a href=\"https:\/\/u1f987.com\/en\/news\/thorchain-the-defi-project-hit-by-another-hacker-attack\">was again affected<\/a> by hackers&#8217; actions. Using a specially crafted contract, the attacker forced the THORChain protocol Bifrost to accept fake assets, and withdrew them as real assets.<\/p>\n<p>There was also another method of fraud reported. Hackers conducted an airdrop of UniH tokens among 76,000 Ethereum addresses. However, the THORmaximalist Twitter account strongly advised ignoring the tokens, as after approving them for swap on Uniswap the contract would empty the user\u2019s wallet.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">Someone is airdropping UniH tokens to ETH adresses. <\/p>\n<p>Just ignore : do not exchange them on UniSwap. If you approve it for swaping, the contract will drain your wallet.<\/p>\n<p>\u2014 THORchain.BULL (@THORmaximalist) <a href=\\\"https:\/\/twitter.com\/THORmaximalist\/status\/1418575601770930178?ref_src=twsrc%5Etfw\\\">July 23, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>The token code for the project (RUNE) was built with a transferTo function that uses tx.origin instead of msg.sender. It allows any contract to take payment from a user without prior permission, explained ForkLog smart-contracts developer Alexey Matiyasyevich:<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>&#8220;The transferTo function additionally removes the balance from the original transaction sender regardless of who invoked it. In this case, the user sent the transaction to the contract, the contract called RUNE, and the balance was taken from the user&#8221;.<\/p>\n<\/blockquote>\n<p>He noted that the simplest attack pattern is to disseminate malicious tokens to all RUNE holders, add a liquidity pool on Uniswap in a ETH pair to create a price for the tokens, and wait for the user to attempt to sell them.<\/p>\n<p>Analyst Sergey Nedashkovsky said that a total of 20,422 RUNE were stolen from nine users:<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>&#8220;The attack method was triggered by 22 users, but only nine had a positive balance at the moment of the attack&#8221;.<\/p>\n<\/blockquote>\n<p>The community discovered that THORChain\u2019s team knew about the danger of using transferTo earlier, but did nothing.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">One of the dumbest things I\\&#8217;ve seen <a href=\\\"https:\/\/t.co\/RQ6brLfj1t\\\">https:\/\/t.co\/RQ6brLfj1t<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\\\"https:\/\/twitter.com\/FrankResearcher\/status\/1418585645136625667?ref_src=twsrc%5Etfw\\\">July 23, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>Before the halt was announced, project representatives signaled the addition of additional tools to protect against attacks, while adding:<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>&#8220;It is unrealistic that THORChain will never be subjected to attacks, but these tools will ensure that the damage from them will be reduced&#8221;.<\/p>\n<\/blockquote>\n<p>Earlier in July, hackers exploited a critical vulnerability in the cross-chain bridge ChainSwap\u2019s smart contract and <a href=\"https:\/\/u1f987.com\/en\/news\/hackers-drain-more-than-4m-from-defi-projects-due-to-chainswap-vulnerability\">moved more than $4 million<\/a> from DeFi projects.<\/p>\n<p>Read ForkLog&#8217;s bitcoin news in our <a href=\\\"\/\/telegram.me\/forklog\\\" target=\\\"\u201c_blank\u201d\\\" rel=\\\"\u201cnofollow\u201d noopener\\\">Telegram<\/a> \u2014 cryptocurrency news, prices and analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The THORChain team announced a halt to operations after several hacker attacks.<\/p>\n","protected":false},"author":1,"featured_media":26216,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1154,1093],"class_list":["post-46780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-crimes","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"26","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/46780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=46780"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/46780\/revisions"}],"predecessor-version":[{"id":46781,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/46780\/revisions\/46781"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/26216"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=46780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=46780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=46780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}