ETH Parsing Error and Exploit
$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.
A small logic bug in the Ethereum Bifröst caused a carefully-crafted ERC-20 to be mis-interpreted as
ETH.ETH and swapped into the network.
Total funds stolen:
- - 9352,4874282 PERP
- - 1.43974743 YFI
- - 2437.936 SUSHI
- - 10.615 ETH
- Total value: ~$139k
The bug was that all non-ETH assets were being initialised with
common.ETHAsset (ETH), but if the symbol returned “ETH”, it would skip. This means that it was being reported as
ETH.ETH and not
The fix is to initialise the assets with
common.EmptyAsset and return before handling ERC20s. This was merged.
The other issue that had to be dealt with was there were several pending attack transactions that had not yet been observed by THORChain, since the attacker continued their transactions after the network was halted. If the network was brought back online prior to processing the update, these transactions would have been processed, which would have been silly and a waste of funds. Logic was added to ignore these specific transactions, coming from specific addresses.
THORChain is run by consensus of the super-majority. If the super-majority choose to run code that can protect their capital (and LP’s capital, by consequence) from obvious attacks, then they will. LPs opt to put their capital in a network with a fixed ruleset — if the ruleset changes unfavourably via updates, then LPs can withdraw. Nodes choose to run code, if they are presented with an update they don’t agree with, they can not update (blocking the upgrade until they are churned due age) or LEAVE the network and not run it at all. Alternatively they can present a counter-update to the community that restores the rules they agree with.
Five transactions were made:
14.9 ETHOS for PERP
But 0 ETH in transaction:
14.1 ETHOS for PERP
9.151 ETHOS for SUSHI
12.014 ETHOS for YFI
11.872 ETHOS for YFI
When they were approving ETH for trading, trading was halted. Then they tried to do one more transaction after trading was halted:
For which they got a refund of REAL ETH.
Discovery and Update
0 mins : Unusual transaction reported from users
5 mins : DEVs acknowledge it and let node operators know
20 mins : Nodes stop the network, super majority needed.
2h : Software fix
4h : Super majority of nodes updated / fixed
6h : Resume swaps
- Restore solvency to the vaults (funded by the Treasury)
- Refund Node Operator Bonds that were slashed when the network was brought partially back online and didn’t have full consensus
- Pay the Bug Bounty to the reporting user
The community are looking for 30 days of no major bugs before mainnet. This classifies as a major bug, so the clocks are reset.
There is a scheduled TrailOfBits audit in 2 weeks, which will do a full code-review. THORChain team will continue finding and scheduling audits, especially since the code is being upgraded to service THORFi, which adds to the complexity theatre.
In addition the team will more prominently establish a bug bounty for finding and reporting bugs. Attackers will always have eyes on the code looking for loop holes. THORChain community can also incentivise this behaviour but favourably for the network.
To keep up to date, please monitor community channels, particularly Telegram and Twitter:
- Twitter: https://twitter.com/thorchain_org
- Telegram Community: https://t.me/thorchain_org
- Telegram Announcements: https://t.me/thorchain
- Reddit: https://reddit.com/r/thorchain
- Gitlab (primary): https://gitlab.com/thorchain
- Github (secondary): https://github.com/thorchain
- Medium: https://medium.com/thorchain