Is This whitehat, a Real Whitehat?

9325603291?profile=RESIZE_192XThere appears to be continuing data breach campaign inside the THORChain’s security system. THORChain is a cross-chain DeFi protocol that was hacked last week for the first time and suffered a loss of $8.3 million.  Now it has been hacked again, and this time, attackers allegedly managed to steal $8 million worth of cryptocurrency Ether.

According to THORChain, the decentralized e-commerce exchange has become a victim of a sophisticated attack on its ETH router.  THORChain posted to Twitter to announce the hack and the amount it lost this time around.

On 23 July 2021, the exchange tweeted — THORChain (@THORChain):

THORChain has suffered a sophisticated attack on the ETH Router, around $8m. The hacker deliberately limited their impact, seemingly a whitehat.  So, the question is: Is an individual ‘whitehat’ hacker, a white hat, if the person does not totally ruin your network?  It appears that something is fishy (not phishy) here. 

THORChain, the team claims that the damage has been fairly limited this time, and they believe it to be a whitehat attack.  The attackers have also requested a 10% bounty.  The exchange plans to halt the amount of ETH until it gets the funds peer-reviewed with its audit partners.[1]

The unidentified hacker(s) warned the exchange that they have identified multiple critical vulnerabilities and could have caused greater damage like taking away larger amounts of Bitcoins, Binance Coin, Lycancoin, and other cryptocurrencies.  THORChain stated that they are concerned about the repeated cyber-attacks as it impacts its reputation in the community and affects the project’s reliability.  Though the lost funds can be covered by its treasury, the ‘DeFi protocol’ company would want to stop this ‘whitehat’.[2]  DeFi protocols (used by THORChain), or autonomous programs, were built to solve pain points in the traditional finance industry.  Decentralized lending allows users to borrow without going through alleged flawed banking system that many have become disillusioned with over the last decade.

9325603700?profile=RESIZE_400xIn response to a series of cyber-attacks on its network, THORchain is acknowledging that the attacks were sophisticated and has slowed its operations.  Following the hacking incident, RUNE price continued its downward slide with a -28% drop upon the attack's announcement.  With loses totally $8 million+, some believe THORchain was possibly hit three times in the last 30 days.  RUNE is a popular cryptocurrency that is available to purchase and trade on many both centralized and decentralized exchange platforms.  The most prominent of these are Binance (centralized) and SushiSwap (decentralized).  As of February 2021, the majority of RUNE trading pairs are crypto/crypto pairs. 

THORchain started out as a project at the Binance Hackathon in 2018 and developed a fully functioning cross-chain decentralized exchange.[3]  Used for governance, staking, bonding, rewards, and trading, RUNE found its utility primarily as a cross-chain liquidity pool.  THORChain was founded by a pseudonymous team of cryptocurrency developers.  The project technically has no founder and none of its 18 self-organized developers has a formal title of any kind.  So the founders and administrators of THORChain are anonymous. 

The inherent asset of the THORchain network is RUNE and is traded against assets in every pool on THORchain, building a bridge for exchanging cryptocurrencies from different blockchains.[4]  In the most recent and sophisticated attack on the network, the hacker exploited the platform for $8 million by tricking the Bifröst protocol into accepting a fake deposit.  The Bifröst Protocol enables multichain connectivity by building a bridge between blockchains.  Cross-chain bridges address one of the decentralized community’s most vexing problems: interoperability.  The hacker then received a refund for the assets without making a real deposit made to the protocol.  A similar exploit of the Bifröst protocol led to $5 million in losses only a week ago.  It is interesting to note that the hacker left behind an explanation of the attack, claiming that it could have been much more damaging to the platform.

The THORchain team identified the hacker as “whitehat” and acknowledged that “whitehat” caused less damage than they could have.  A 10% bounty has been requested from the seemingly whitehat attacker(s).

THORchain has announced that it will slow, maybe even stop the network chain pending security audits.  The team will provide reimbursement to liquidity providers from its treasury.  RUNE holders and traders have undoubtedly suffered the hack's impact since the crypto-token's price is hit yet again.  The token fell from a high of $20.30 in May 2021 to $3.87, a price drop of over 80% in less than two months.

Analysts are further checking into the motive of this ‘whitehat.’  Experience seems to point that the hacker could be known to the developers of THORChain.  The question is why would the exchange call the hacker(s) ‘whitehat’ when there is a 10% bounty on the hack.  Whitehats traditionally “help” companies in identifying cyber security concerns, not hold then for a bounty.  This ‘whitehat’ exposed flaws, yet seems to want a monetary reward.  Strange indeed.   

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

[1] https://www.hackread.com/defi-protocol-thorchain-hacked-whitehat-attack/

[2] https://www.fxstreet.com/cryptocurrencies/news/thorchain-hit-by-third-attack-in-a-month-incurs-over-13-million-in-losses-202107241025

[3] https://www.binance.com/en/blog/372982400902205440/Introducing-Binance-X

[4] https://youtu.be/WgOX3-ZI5pY

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!