Cross-chain decentralized exchange THORChain has suffered its second multimillion-dollar hack in as many weeks, with $8 million worth of Ether impacted.
However, the attack appears to have been carried out by a white hat hacker, with THORChain announcing the perpetrator had requested a 10% bounty. ETH will be halted until the code has been audited.
Liquidity providers impacted by the exploit will be subsidized using the project’s treasury funds.
The exchange — which is still in the middle of a staged beta launch called Chaosnet — conceded that the “complexity” of its state machine comprises THORChain’s “Archille’s heel,” however asserted that its issues “can be solved with more eyes on, as well as a re-think in developer procedures and peer-review.”
A screenshot shared from the project’s Discord forum appears to show a message forwarded to the project by the hack via transaction data.
The hacker claims they deliberately minimized the damage from the exploit in a bid to teach THORChain a lesson, stating: “Do not rush code that controls 9 figures,” and “Disable until audits are complete.”
The hacker adds that they could have stolen Ether, Bitcoin, Binance Coin, Lycancoin, and many BEP-20 tokens if they had wanted to, asserting that “multiple critical issues” were found and that a 10% bug bounty could have prevented the incident.
On July 16, Cointelegraph reported that THORChain had been halted after 4,000 Ether worth $7.6 million was drained from the protocol. The protocol unsuccessfully proposed a bug bounty to the hacker in exchange for returning the stolen funds.
The decentralized exchange also lost $140,000 in a separate exploit suffered last month.
THORChain entered into its guarded “Chaosnet” launch in April, enabling cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash, and Binance Chain networks.