ETH Parsing Error and Exploit

$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.

Published in
4 min readJun 29, 2021


The line of code that caused the bug


A small logic bug in the Ethereum Bifröst caused a carefully-crafted ERC-20 to be mis-interpreted as ETH.ETH and swapped into the network.

Total funds stolen:

  • - 9352,4874282 PERP
  • - 1.43974743 YFI
  • - 2437.936 SUSHI
  • - 10.615 ETH
  • Total value: ~$139k

The bug was that all non-ETH assets were being initialised with common.ETHAsset (ETH), but if the symbol returned “ETH”, it would skip. This means that it was being reported as ETH.ETH and not ETH.ETH-0xaddress.

The fix is to initialise the assets with common.EmptyAsset and return before handling ERC20s. This was merged.

Temporary Protection

The other issue that had to be dealt with was there were several pending attack transactions that had not yet been observed by THORChain, since the attacker continued their transactions after the network was halted. If the network was brought back online prior to processing the update, these transactions would have been processed, which would have been silly and a waste of funds. Logic was added to ignore these specific transactions, coming from specific addresses.

THORChain is run by consensus of the super-majority. If the super-majority choose to run code that can protect their capital (and LP’s capital, by consequence) from obvious attacks, then they will. LPs opt to put their capital in a network with a fixed ruleset — if the ruleset changes unfavourably via updates, then LPs can withdraw. Nodes choose to run code, if they are presented with an update they don’t agree with, they can not update (blocking the upgrade until they are churned due age) or LEAVE the network and not run it at all. Alternatively they can present a counter-update to the community that restores the rules they agree with.


Transaction example:

Five transactions were made:
14.9 ETHOS for PERP

But 0 ETH in transaction: DC17B1368F1159

14.1 ETHOS for PERP 508BB60947C9


12.014 ETHOS for YFI D9D456F2B1B6

11.872 ETHOS for YFI 311B6E00BE99

When they were approving ETH for trading, trading was halted. Then they tried to do one more transaction after trading was halted: D4720FA3C030

For which they got a refund of REAL ETH.

Discovery and Update

0 mins : Unusual transaction reported from users
5 mins : DEVs acknowledge it and let node operators know
20 mins : Nodes stop the network, super majority needed.
2h : Software fix
4h : Super majority of nodes updated / fixed
6h : Resume swaps


  1. Restore solvency to the vaults (funded by the Treasury)
  2. Refund Node Operator Bonds that were slashed when the network was brought partially back online and didn’t have full consensus
  3. Pay the Bug Bounty to the reporting user

The community are looking for 30 days of no major bugs before mainnet. This classifies as a major bug, so the clocks are reset.

TrailOfBits Audit

There is a scheduled TrailOfBits audit in 2 weeks, which will do a full code-review. THORChain team will continue finding and scheduling audits, especially since the code is being upgraded to service THORFi, which adds to the complexity theatre.

In addition the team will more prominently establish a bug bounty for finding and reporting bugs. Attackers will always have eyes on the code looking for loop holes. THORChain community can also incentivise this behaviour but favourably for the network.


To keep up to date, please monitor community channels, particularly Telegram and Twitter:




The official team for THORChain — the decentralized liquidity network.