October 28, 2021 — Contributors to THORChain, a decentralized cross-chain liquidity protocol, announced today that the protocol has completed a full recovery after summer exploits that revealed vulnerabilities in parts of its Ethereum bridge code.
After completing two security audits by Trail of Bits and Halborn, THORChain’s development team and dedicated security team have executed a five-step plan that has now restored its protocol to full operation.
With a network restart, THORChain has brought its Bitcoin, Ethereum, Binance Chain, Litecoin, and Bitcoin Cash integrations back online to resume cross-chain trading and automated market-making functions.
“Decentralized finance is still very much in its infancy and experimental stages,” said Chad Barraford, Technical Lead at THORChain. “With hacks and exploits causing hundreds of millions of dollars in losses, it was important to the THORChain community development team that the time and diligence was spent to work alongside the best security auditors and white hat hackers in the industry to fortify the protocol.”
“After several long months of auditing and hardening the protocol, we are glad to recommend to THORNode Operators that they can restart their nodes, and inform the community of the steps that we have taken to further secure THORChain and the dApps and platforms that are building on top of it.”
In addition to undergoing two simultaneous audits, THORChain has commissioned Immunefi with a bounty program to identify new vulnerabilities on an ongoing basis and Halborn Security to continuously monitor the network and run each new product release line-by-line 24/7.
“As THORChain completes its audits, we’re pleased to have their bug bounty program on our platform expand further and cover more of their software,” said Travin Keith, Co-Founder of Immunefi. “With this expansion, more of THORChain will be open to our community of whitehat hackers looking for vulnerabilities before blackhats find them.”
“Additionally, if blackhats find them, they are given an opportunity to receive clean money to encourage them to responsibly disclose the vulnerability they discovered instead of exploiting it and leading to a loss of user funds. We look forward to seeing THORChain’s continued growth and will work with the team to continue making THORChain safer with our community.”
According to Steve Walbroehl, Co-Founder and CISO of Halborn Security, “THORChain is one of the most multi-faceted ecosystems in decentralized finance” as it provides a very large set of capabilities.
“However, with extra functionality comes extra complexity, and complexity is an enemy of security,” said Walbroehl. ”It’s easy to overlook attack vectors or vulnerabilities when you have this level of complexity in a system while also developing in an environment that iterates as fast as the cryptocurrency market. This eventually led to the incidents that would justify bringing security teams like Halborn to help prevent this from happening in the future. With Halborn focusing on the security, it provides THORChain the resources to help manage risk while they focus on continuous development and innovation.”
In addition, THORChain has implemented an Automatic Solvency Checker to pause network transactions in the event of any perceived threat to the protocol’s overall solvency.
Prior to this update, THORChain’s autonomous and decentralized nature made it so the only way to stop a liquidity attack was for nodes to shut down their machines. In the new update, THORChain has introduced a Node Operator Timeout function that will allow any node to call a time-out for the network if they suspect an attack.
With new features like automatic solvency checks, node operator timeout, and delayed outbound transactions, the network has blanketed protections that put the protocol into a much more defensive position. So much so, that even if an exploit is discovered, their ability to extract funds are severely limited, in a way that is more profitable to be white hat than a black hat.
To further protect ecosystem participants and stakeholders, THORChain is pursuing a self-insurance option that utilizes the THORChain protocol reserve of $1.2bn RUNE to offer cover against future black swan events, hacks and exploits.
“THORChain is chain-agnostic, critical infrastructure for the entire crypto ecosystem. We believe that the multiple auditors involved and our creation of THORSec (THORChain’s dedicated security team) set the needed foundation to deliver truly decentralized, native, layer-one asset swaps,” said Gavin McDermott, founder of Nine Realms, an institutional infrastructure provider for THORChain.
At the time of writing, there is more than $350 million total value locked on THORChain, which powers more than $1 billion in total network volume.