Hammering THORChain: It’s Totally Centralized With Hard-Coded Admin Keys

Blockchains herald the promise of decentralization. But THORChain is not the blockchain you’re looking for if you care about such ideals, with hard-coded administrative keys that demonstrate the blockchain is run by a handful of individuals.

“Holy crap, is that what our permissionless frontend enabled?”

THORChain is a wonderful example of a blockchain (and we use that term loosely) that calls itself decentralized but is in fact anything but.

It is more or less trivial to prove THORChain is anything but decentralized if anyone were to look for a few moments.

Let’s start with a code snippet:

https://gitlab.com/thorchain/thornode/blob/6ad35d8ce9bbba4c2878dda2cd801cf55337b663/x/thorchain/mimir_address.go

We could probably stop here but that’s no fun.

Especially when the details are so amusingly, and revealingly, defective.

Even by the low standards of blockchain projects THORChain is special.

“You see it starts with centralization, and well, then it ends with admin addresses.”

So here we will cover:

1. THORChain’s history of hard-coded admin addresses going back to August 2020 (i.e. the launch of the blockchain).
2. The introduction of access controls for the admin addresses in February 2023 (i.e. after the “maintenance mode” debacle with the FTX hacker and other incidents).
3. A tour of the way these admin functions are built. Mainly to show it is willfully, knowingly, bad conduct, rather than just a small mistake.
4. Some bad actor use of THORChain. Spoiler alert, it’s North Korea, and to be precise, it’s the DPRK’s hackers.
5. A taste of the confused and/or ignorant marketing being spewed about this obviously-defective-to-anyone-competent-that-looks blockchain.

So much work was put into building an admin back door for THORChain that things might get a bit rough as we proceed on our journey.

But saddle up, and we promise you it’ll be worth the trip.

“You mean to tell me these blockchains aren’t really decentralized?”

Hard-Coded Admin Addresses

The original admin addresses for THORChain were set on August 12, 2020. That’s years ago.

Which means an awful lot has transpired with respect to THORChain while there were admin keys in place.

Some might even say the admin addresses were present from the very beginning of THORChain and those initial admin addresses were:

• thor1x0akdepu6vs40cv30xqz3qnd85mh7gkf5a0z89
• thor1app3q9saxldh3jqg93ztv94pyn3gfltq0hylcx

The second admin address got swapped for

• thor1xghvhe4p50aqh5zq2t2vls938as0dkr2mzgpgh

on December 18, 2020.

Then,

• thor19pkncem64gajdwrd5kasspyj0t75hhkpqjn5qh

got added on February 16, 2021.

Finally,

• thor1x0akdepu6vs40cv30xqz3qnd85mh7gkf5a0z89

was removed as an admin address on March 22, 2021.

If that feels a bit like Genesis 5 well, maybe Heimdall and Son of Odin — the developers who did this work — had a broader education than we all thought.

“Yesiree bob, we’ve been known to attend the opera from time to time.”

Those old stories ring true sometimes.

Access Controls

The THORChain code also contains an adminMimirDenyList:

https://gitlab.com/thorchain/thornode/blob/27cc6e64fae3165280d9bdd82c98344208e768c2/x/thorchain/mimir_accesscontrols.go

As we will detail below this list is used to ensure the admin addresses cannot do everything.

But, well, it was introduced on February 23, 2023 so the ThorCHAIN admin addresses built by Odin and Heimdall was ungehindert (unimpeded) for about two years.

The admin addresses swam freely in the river and protected THORChain’s secrets, so to speak, collecting bounties without any real resistance.

And of course this access control list was actively maintained.

It is important to work your way down lists no matter what the season.

Does two addresses count as a posse? You gotta love a good posse.

List maintenance such as:

• Asmund THORsec set up the deny list February 23, 2023
• Asmund THORsec added a few functions April 11, 2023
• Multipartite added one entry March 24, 2023
• Asmund THORsec noted some impermanent loss protection call should be removed from the deny list on March 7, 2024
• akrokr deleted that protection and another line on July 31, 2024

Forgetting that the impermanent loss protection scheme surely did not work properly, this whole “deny list” for the admin address was clearly an intentional feature of the system and maintained by the THORChain team.

In Norse mythology they pronounce that mens rea.

How The Admin Functions Work

Now just to drive home how willful and intentional these facilities setup by the THORChain team were, let us tour the whole code implementation.

When the admin deny list was introduced, so was this snippet of code:

The function above “isAdmin” is basically checking to see if any given address is an admin address. So it is easy to check if a given address is an admin and if they are allowed to execute a given command.

Before the deny list existed there was only isAdmin().

Asmund expanded that out and moved these to their own file. They wrapped it all inside a validateV106() which, on June 28, 2023 got upgraded to validateV114() as:

For the non-programmers out there, this software code is checking to see if the given command can be executed, including if it is an admin-only command and the sending address is an admin.

For the programmers, yes, there are a few layers of wrapper functions between isAdmin() and validateV114() but they are as boring as you’ve imagined they are.

akrokr wrote this and clearly with purpose.

Without getting too deep into the software engineering, suffice to say there are blocks of code that handle various types of messages and each of these blocks includes logic like that to process admin messages.

The one we care about is the MimirHandler.

Mimir is the admin interface, but don’t take our word for it, read the code yourself:

Again for the programmers out there — the MimirHandler’s Manager member has references to all the important data structures where it has near-total access from there.

Elsewhere we find:

So it would appear the mimir interface can “pause” the blockchain.

Now where have we seen that before?

Binance Built a Blockchain, Except it Didn’t

And the admin could pause the “blockchain”.

Mind you, it wasn’t that the admins could pause the blockhain in theory, they actually did so several times.

It would appear therefore that the admins exercised far more control than they first let on.

“Should have passed on that second helping of beans.”

Yes we could go through this at a higher level of detail and cover other things the admin can do but, as they say, please get the Marshal and let’s save that for trial.

Bad Actor Use

Here is a sampling of THORChain use by well-known hackers:

“Fwds tracked tkns to Thorchain” means we’ve programmatically identified that address as doing nothing other than forwarding tokens to a THORChain deposit address. More addresses available here.

The Stake.com exploiter has been widely reported to be DPRK.

The FTX and CoinSpot exchange hacks were, well, hacks by someone.

That table is just a taste of identifiable bad-actor activity because, well, this isn’t a public service.

Exchange hackers. Shifty buggers.

There are also known-scam addresses using THORChain’s services, which is perhaps not as shocking as the knowledge that the THORChain backend has highly-permissioned admin keys, while the front end remains totally permissionless.

Marketing

Let’s start with this,

which is a gem from May 2021, at a time when there were two admin addresses with unfettered control of THORChain.

Sometimes people misunderstand the degree of control they, and their comrades, have.

Sometimes to their detriment.

When all you have is a hammer, everything looks like Ragnarok.

Paperwork is also very important in some countries so let’s look at THORChain’s own docs:

Sometimes you find some ridiculous details for the right blockchain protocol.

And it would appear this is indeed the right protocol. So let’s review:

• No user registration required? Check.
• Massive, widely-reported, use by hackers and various bad folks? Check.
• Full, centralized control for years? Check.
• Supposed freedom, decentralization maximalists shilling the project anyway? Check.

THORChain hits all the right notes.

“Did someone call for the Marshal?”

In our humble opinion, the Ethereum-side endpoints for THORChain alone processed billions in no-KYC funds through a centralized, custodial service, despite whatever ignorant comments about how it works that you might have heard (from people who obviously have no clue what they’re talking about).

Code may or may not be law but the law enforcement officers in Chickasaw Country certainly understand how to read dead-simple code like the snippets above.

To drive that point home consider that the trading halt function is called Ragnarok in the system,

There is a Ragnarok handler.

And checks throughout the code. Yes there is a function called RagnarokInProgess() that returns True when, well, Ragnarok is in progress.

In the git history you can see the admin deny list blocked admin use of Ragnarok starting in 2023.

That’s long after the pauses.

Further notice that in Norse mythology it is during Ragnarok that Thor, Odin, Heimdall and other characters named here meet their respective ends.

In Wagner’s telling as Götterdämmerung* the whole thing burns down pretty spectacularly and Wotan, played tonight by the recently unmasked JPThor, ends up losing more than he bargained for due to open-source contracts.**

Plantation house was not built quite up to snuff when it came round to Ragnarok.

At this point we will leave THORChain and the team at the mercy of the Marshal and the other dogs.

They’ll be fine ’cause, you know, the centralization is silent.

*It seems there was also a Marvel movie about this. No.

• *This is not a joke and is explained in Das Rhinegold and Die Walküre.