ThorChain, a popular decentralized exchange that enables native token swaps across different blockchains, was exploited yesterday to the tune of $4.9M.
According to the project, the exploit was made possible by a recent upgrade to the protocol’s “Bifrost” router that connects ThorChain to Ethereum. The change allowed the attacker to trick the router using a custom wrapper contract that indicated a deposit value of 200 ETH while actually diverting the ETH back to the attacker.
The router then proceeded to allow the exploiter to swap the phantom ETH for various other DeFi tokens that remain in the exploiter’s address at the time of writing.
The exploit was detected by a community developer and ThorChain node operators immediately took action to halt their nodes. Once a third of the nodes went offline, the whole network was halted, an action that most likely prevented further loss of funds.
The ThorChain community has put together a preliminary incident report and an official post-mortem is forthcoming.
The project plans to reimburse users who lost funds using its treasury, a move sure to be welcomed by anxious liquidity providers who saw the price of ETH drop as low as $350 on the platform.
Influential DeFi figures have since rallied behind ThorChain in an affirmation that building the future of finance is not an easy path to navigate.