Weekly Dev Update #103

THORChain Weekly Dev Update for Week 103, 9–15 August; Chain Restarted, Critical Vulnerabilities Now Public, SCCN Ragnarok Started, Growing the TVL, MCCN Updates 0.63.0, 0.63.1, 0.63.2, SCCN Update 0.19.6, Community Updates

THORChain Author

Published in

THORChain

10 min readAug 17, 2021

Summary

Phase 1 of audits completed and the THORChain restart to allows nodes to update, block rewords to be paid and ILP counter to resume.

The treasury has acquired all the assets to restore solvency on the network. Several insurance proposals are being reviewed. When the freshly audited protocol is operational next month it will both be solvent and insured.

Two critical vulnerabilities that were reported via the bounty program are now public. Updated release procedures introduced, large MCCN update successfully implemented, SCCN Ragnarok begun, growing the TVL proposals and many community updates.

Bounty Program Update

Two critical vulnerabilities were responsibly disclosed by a community member to https://immunefi.com/bounty/thorchain. They have now been patched so can be publicly disclosed;

1. Unlimited Affiliate Fees

THORChain did not do any bounds checking on the affiliate fee percentage, which can result in payment of unlimited affiliate fees to an attacker.
An attacker can craft a SWAP or ADD memo using their own address as benefactor of affiliate fees, with an unbounded affiliate fee (e.g. 1000000000000).

These rewards can either dilute the pool shares (ADD) resulting in virtual unlimited ownership of the pool and ability to withdraw all assets, or n SWAP to drain RUNE and later perform a legal SWAP into assets to steal all of the assets. Up to 100% funds in all pools could be taken.

See full disclosure here.

2. Mint 90 billion RUNE for 10 BNB — 100% of pool liquidity

90 billion fake BEP2 RUNE can be sent and redeemed for real RUNE, then swapped for 100% of assets. Up to 100% of pools without network rate limiting could have been taken and around $1m with it.

See full disclosure here.

THORSec Update

THORChain is back online with 100% of validators running the latest version (0.63.2). This marks the completion of Phase 1.

The next step is to enable RUNE-only inbound handlers (bond, unbond, leave, ban, send, etc.), while keeping LP-related handlers disabled (add liquidity, remove liquidity, swap will come in later phases).

Active codepaths for Phase 2: The handlers will be activated in the next update. (see “Active Codepaths for Phases of Re-opening” https://www.notion.so/7b8622f9efff4bd49fe1bb0800ea1059 for additional details).

In addition to THORSec and professional auditors, the community is encouraged to audit these code paths and responsibly disclose (https://immunefi.com/bounty/thorchain/) for a bounty reward.

Checklist for Phase 2:

- [x] Phase 1 Complete
- [ ] THORSec Audits Newly Active Codepaths for Phase 2
- [ ] Nine Realms provides Go/No-Go
- [ ] Update mimir setting for HALTTHORCHAIN.

Security Audit Update — Halborn

Testnet Node Setup final touches, with the help of the community and 3b through 3f will start this week. An additional engineer is assigned to the project.

Outcome will be released soon, see progress details here and here.

Halborn Proposal 2 with THORChain presented, read it here.

Update to PRs and New Release Procedures

Now in effect;

1) PRs need to be reviewed by 1 member from THORChain team and 1 member from THORSec.
2) New releases are proposed by THORChain team or None-Realms , but need sign off from THORSec AND Halborn. THORSec provide the wargaming, Halborn to provide the whole-of-stack review.

Growing the TVL

There may be an economic limit to how deep the Total Value Locked (TVL) can get on THORChain as the total pooled cannot be more than the total bond by nodes.

Currently Node Operators need both Advanced Technical Skills as well as High Capital Requirements (bonded Rune), which reduces the number of viable node operators. Two proposals to address this open for comment;

[feature] lite nodes

Creation of a limited or lite nodes that allows bonding with low technical skills and low capital requirements. It’s also quick and easy to move from being an LP to bonding, and back again, allowing people to respond to the incentive pendulum instantaneously.

Read about it here: https://gitlab.com/thorchain/thornode/-/issues/1012

ADD: Pooled Nodes

A normal node where up to 4 trusted bonders have contributed to the bonding requirements of a node — disturbing the capital requirement burden. A node operator would invite up to 3 bonders to add to their bond. These bonders would need to be in a trusting relationship with their operator.

Read about it here: https://gitlab.com/thorchain/thornode/-/issues/1067

MCCN Update

The thornode binary has been audited. THORSec, NineRealms and the dev team gave sign-offs on the thornode binary audit. NOs updated their binaries to the new release and started their thornodes.

UPDATE 0.63.0-0.63.2

For Liquidity Providers (LPs): Thank you for your patience. Please sit tight. Deposit & withdrawal is disabled at the moment to prevent asymmetric withdrawal attack causing further harm to pools. We need the chain online before we can assess when it is safe to allow deposit & withdrawal.

For Swappers & Arbs: All handlers are disabled. Trading will be suspended on all chains until the network has been restarted and we have systematically begun to restart individual chains per auditing results & THORSec sign-off.

For Node Operators: Get ready to restart your nodes. This is a special circumstance restarting network from complete halt.

1) [BUG] block withdrawals on halt chain. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1822

2) [BUG] halt should include synth source assets PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1823

3) [BUG] Only parse event that is emit by THORChain Router. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1828

4) [BUG] Block multiple events in one transaction but have different to address / memo. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1829

5) [ADD] Affiliate Fee limit. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1834

6) [BUG] IsRune shouldn’t check cross env. https://gitlab.com/thorchain/thornode/-/merge_requests/1838

7) [BUG] HaltTHORChain should also halt msg_deposit. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1839

8) [ADD] Add Immunefi bug bounty. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1842

9) [BUG] do not allow outbound/internal transactions in handler deposit. https://gitlab.com/thorchain/thornode/-/merge_requests/1845

10)[ADD] Telemetry data. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1800

11)[BUG] Emit telemetry data cause panic. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1846

12)[ADD] block handler deposit after chain starts (1568815). PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1856

release: https://gitlab.com/thorchain/thornode/-/tags/v0.63.0 https://gitlab.com/thorchain/thornode/-/tags/v0.63.1 https://gitlab.com/thorchain/thornode/-/tags/v0.63.2

Consensus was achieved and the chain is now running.

SCCN Update

Ragnarok was invoked to start the process of shutting down Single Chain Chaosnet (aka BEPSwap).

Ragnarok will return user’s funds for them but it will be done in chunks and may take several weeks to complete. Please be patient.

As SCCN undergoes Ragnarok, here are some stats:

$26m in pooled assets,
$32m in Bonded assets and $80m in reserves
$58m TVL
$6.4bn in total volume
36 nodes
5000 LPs
Impermanent Loss Protection Payout — 93,777 Rune (~$765K) to 477 LPs
Ran for approx. 12 months with no major incident or fund loss.

SCCN UPDATE 0.19.6

This release is to remove the mimir check in bifrost , so it can speed up the ragnarok process PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1859

Community Updates

ASGARDEX v.0.3.11 —

Download https://github.com/thorchain/asgardex-electron/releases/tag/v0.3.11

Changelog https://github.com/thorchain/asgardex-electron/blob/develop/CHANGELOG.md#0311-2021-08-10

    [Swap] Add swap limit protection #1647
    [Swap] Add ASGARDEX identifier to swap memo 1615
    [Mimir] Handle halt params of Mimir #1645
    [ERC20] Blacklist UNIH #1652

Dragons’ Dex — Weekly Update (9 Aug — 15 Aug)

Dragons’ Dex: added detailed asset page with actions and (bitcoin) transaction history
- Dragons’ Eye: now supports detecting clipboard addresses
- xchain-dart: fixed case-sensitive prefixes in QR-codes
and included transaction history for bitcoin-client

New Telegram Bot for Trading

Telegram bot powered by thorchain, you can swap/add/remove liquidity show your balances there It’s like thorswap but in telegram t.me/thorgram_bot.

Right now this is just an MVP proof of concept:

I am searching. For seed investments
I would be glad if you could test it and find some bugs, there will be airdrop for early users Community: @thorgram_public

Video description : https://t.me/thorgram_public/46

GrassRoots Crypto — 31/07–15/08

- A Liquidity Pool Example — The Numbers video released
- Assisted with catching up on Dev Weekly updates.
- Diagrams of THORChain created and looking for validation /correction. Can be seen at https://grassrootscrypto.io/THORChainDiagrams/
- Started a ‘guide to THORChain’s code base’. Documenting as I learn

Learn about THORChain and cryoto at https://www.youtube.com/c/GrassRootsCrypto/

Thorboard Weekly Update (8/09–8/15)

- correct node count
- track eligible, standby, whitelist and ready nodes
- correct node rewards calculations
- update active nodes more detailed churning reasons

Rango first weekly update

— Integrated thorchain swaps
— Integrated wallets: XDefi, metamask, binance chain wallet, Keplr, TerraStation, wallet connect(only eth for now)
— Other integrations:
= osmosis both multi hop swap and IBC
= terra swap and terra bridge
= 1inch on eth,bsc,polygon
= Binance bridge

Some showcase:
https://twitter.com/RangoExchange/status/1422472186066055225 (improved routing on osmosis)
https://twitter.com/RangoExchange/status/1425917611611672576 (video of IBC, then swap, then IBC again)

Short term items:
- bug fix showing BSC balances (unmarshall api doesn’t give all token balances for BSC)
- bug fix native ETH routing
- bETH lido and terra bridge integration
- minor fixes

On the plan:
- consider chain specific halting of thorchain when routing (mimir api)
- find a useful polygon bridge (maybe connex?)
- upgrade ui
- multihop router contract on terra (terraswap+astroport+loop in one tx)
- solana (bridge and swappers, probably wormhole bridge)
- integrate thorchain synthetics
- fix non terra tokens of terra bridge

DEVOps Weekly Update (8/9–8/15)

cluster-launcher

- Update dependencies Linode
- AWS reconsiderations / improvements
- Fix cluster-autoscaler on AWS

THORmon

- Assist mainnet resumption
- Increase throughput and scale up
- Node management and reinstallation
- THORBalancer operations/adaptions
- Add SCORE column
- Inspect PWA functionality

TRX1’s Weekly Dev Report (09/08–15/08)

aiothornode (Python Lib)
- Tendermint block parser
- New API: THOR account balance
- New API: THOR transaction search block height or other attributes
- Added more tests, the examples were also updated

THORChain Monitoring bot
- Node op tools. Work in progress:
— Designing and implementing a menu for adding and managing nodes for monitoring
— Node address and name association
— Telegram Inline list component with pagination
— More unit tests
- Discarded BEPSwap part
- Bug fixes for recently added notification types

Xchainpy Weekly Update (8/09–8/15)

update ReadMe files in xchainpy_client, xchainpy_util and xchainpy_crypto
- publish new versions of xchainpy_binance xchainpy_client, xchainpy_util and xchainpy_crypto on PyPI
- updating xchainpy_bitcoin started according to xchainjs_bitcoin’s changes:
+ replace bip_utils lib with bitcoinlib, to change the derivation paths (wallet_index), and implemented some new functions using this lib in xchainpy_bitcoin.crypto file
+ reimplementing Client’s methods using xchainpy_client.UTXO class (like xchainjs-client.UTXO)
+ add haskoin_api and blockstream_api files
+ change xchainpy_bitcoin.utils to use sochain_api for testnet and haskoin_api for mainnet
+ fix some bugs on haskoin_api and xchain_bitcoin broadcast_tx method using blockstream_api

SKIPexchange Weekly Update (8/9–8/16):

- Mobile interface is ready (all views are finished + footer menu) but some testing are required
- enhanced device layout change
- fixed withdraw success notices

Hoodie Weekly Update (8/16)

-fixed xchainpy-thorchain
-updated xchainpy-ethereum
-fixed bug in xchainpy-crypto

RuneYield.info Weekly Update 09/08–15/08:

- Retired runestake.info.
- Removed SCCN support from RuneYield.info.
- Began working on replacing date with block height count for LP cover calculation.
- Continued working on wallet balance integration.

block42

Test interfaces and follow Brokkr updates here: Twitter: @Brokkrfinance Telegram channel: https://t.me/brokkrfinance

Bridges

How to bridge to THORChain? This is a serious undertaking, a dev should be sponsored for 6–12 months:

Read https://gitlab.com/thorchain/thornode/-/blob/develop/docs/newchain.md and https://docs.thorchain.org/chain-clients/overview
Implement the Chain Client https://gitlab.com/thorchain/thornode/-/tree/develop/bifrost/pkg/chainclients
Add to Node Launcher https://gitlab.com/thorchain/devops/node-launcher
Add to XChainJs https://github.com/xchainjs/xchainjs-lib
Launch on Mocknet — demo to community
Launch on Testnet, stabilise. Must be run successfully for a few weeks with no issues.
Launch on Mainnet, stabilise
Maintain the chain client, be on deck for hard forks, client updates and more.

Deployed to MCCN

Bitcoin: Deployed to chaosnet
Ethereum: Deployed to chaosnet
BitcoinCash: Deployed to chaosnet
Litecoin: Deployed to chaosnet

UTXO Chains

Dogecoin: Complete, will be activated after MCCN
ZCash: Scoped, rain-checked
Decred — Ongoing
Dash — Ongoing

Cryptonote

Haven: [paused due XHV bandwidth]
Monero: Pending Haven implementation

Custom

Cardano — Scoping
Polkadot: [depends on THORNode ED25519]
Avalanche: Scoped, WIP with team to investigate options
Zilliqa: Scoped, rain-checked
Solana: [depends on THORNode ED25519]

EVM Chains

Binance Smart Chain: Likely after MCCN
Ethereum Classic: Rain-checked
Rootstock: Rain-checked
Arbitrum: Rain-checked

IBC

A development partner has been found and will begin building IBC bridges.

Pending IBC integration — Cosmos, Terra, Kava, Secret Network, Injective Protocol, Sifchain, Akash Network.

Next Milestones

Audit and enable inbound msg handlers (send, bond, etc) — late this month
Complete Ragnarok of SCCN — Late August
Activate BNB Chain — Late August/Early Sept
UTXO Chains online — September
ETH Chain online — October

Community

To keep up to date, please monitor community channels, particularly Telegram and Twitter:

Twitter: https://twitter.com/thorchain_org
Telegram Community: https://t.me/thorchain_org
Telegram Announcements: https://t.me/thorchain
Dev Discord https://discord.gg/kvZhpEtHAw
Reddit: https://reddit.com/r/thorchain
Gitlab (primary): https://gitlab.com/thorchain
Github (secondary): https://github.com/thorchain
Medium: https://medium.com/thorchain