Overview of the Three Attacks on THORChain
According to analysis by SlowMist's AML team, THORChain suffered three significant attacks with the following losses:
- June 29, 2021: A "fake deposit" attack resulted in losses of nearly $350,000.
- July 16, 2021: A second "fake deposit" attack led to losses of approximately $8 million.
- July 23, 2021: A third exploit involving a refund logic flaw caused losses of another $8 million.
The proximity of these attacks—both in timing and methodology—raises a critical question: Could the same perpetrator be behind all three incidents?
Detailed Attack Breakdowns
First Attack: The "Fake Deposit" Exploit
Attack Summary
The exploit stemmed from a logic flaw in THORChain's code, where ERC20 tokens with the symbol "ETH" were mistakenly recognized as actual Ether (ETH). This allowed attackers to swap counterfeit ETH for other tokens.
Key Losses (Per THORChain's Report)
- 9,352.487 PERP
- 1.439 YFI
- 2,437.936 SUSHI
- 10.615 ETH
Funds Flow Analysis
- Attackers used ChangeNOW (an anonymous exchange) to acquire initial funds.
- Profits were funneled into Tornado Cash for obfuscation.
SlowMist identified additional unreported losses:
- 29,777.378 USDT
- 78.141 ALCX
- 11.751 ETH
Second Attack: Value Override Vulnerability
Attack Summary
Attackers exploited a defect where the msg.value parameter overwrote the actual deposit amount, enabling "zero-cost" token swaps.
Key Losses
- 2,500 ETH
- 57,975.33 SUSHI
- 8.736 YFI
Funds Flow Analysis
- Initial funding traced to Tornado Cash (10 ETH).
Unreported losses included:
- 2,246.6 SUSHI
- 259,237.77 HEGIC
Third Attack: Refund Logic Flaw
Attack Summary
Attackers manipulated THORChain’s refund mechanism by spoofing deposit events with invalid memos, forcing refunds of fabricated assets.
Key Losses
- 20.8M XRUNE
- 1.67M USDC
- 990,137 USDT
Notable Detail
Attackers embedded taunting messages in transaction memos, claiming to have uncovered multiple critical vulnerabilities.
Comparative Analysis
| Attack Date | Method | Losses | Anonymity Tools Used |
|---|---|---|---|
| June 29, 2021 | Fake Deposit | $350K | ChangeNOW, Tornado Cash |
| July 16, 2021 | Value Override | $8M | Tornado Cash |
| July 23, 2021 | Refund Logic Exploit | $8M | Tornado Cash (100 ETH) |
Key Observations:
- All initial funds originated from privacy platforms (ChangeNOW, Tornado Cash).
- No overlapping wallet addresses were identified.
- SlowMist’s AML team hypothesizes a possible single attacker due to the rapid succession and escalating scale.
FAQs
1. How did SlowMist track the stolen funds?
Using MistTrack, a proprietary anti-money laundering system with ~200M labeled addresses, covering major global exchanges.
2. What’s the total loss from these attacks?
Over **$16 million**, with ~$13 million still held in attacker-controlled wallets.
3. Could these attacks have been prevented?
Yes—rigorous "fake deposit" testing and third-party audits are critical for cross-chain systems.
4. What should projects learn from THORChain’s experience?
Cross-chain designs must account for token-specific behaviors and implement robust refund safeguards.
5. Are user funds in THORChain still at risk?
SlowMist continues monitoring; exchanges/wallets are advised to blacklist flagged addresses.
Conclusion & Recommendations
THORChain’s triple attacks underscore the critical need for enhanced cross-chain security. Projects should:
- Conduct thorough logic audits.
- Integrate real-time monitoring like MistTrack.
- Educate users on revoking suspicious token approvals.
👉 Protect your assets with SlowMist’s AML solutions
👉 Learn more about cross-chain security best practices
For ongoing updates, follow SlowMist’s investigative reports.