Popular cross-chain decentralized exchange THORChain has suffered a multi-million-dollar breach.
Estimates as to the scale of the damage vary, with THORChain revising the initial estimate that 13,000 Ether (ETH) (worth $25.1 million) had been stolen, bringing the total down to 4,000 ETH (roughly $7.6 million) as a ballpark for damages. A subsequent community-provided rundown of stolen assets suggests the figure is closer to $6 million.
In the THORChain community Telegram channel, administrators have indicated the project has the funds needed to cover users’ stolen assets but articulated a preference for the hacker to return the stolen funds in exchange for a bug bounty.
“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched & the network resumes.”
THORChain has since tweeted that its preliminary roadmap to recovery is underway, announcing that after the vulnerability is patched and the network is restarted, Ether will be donated to liquidity provider pools to reimburse impacted users. From there, the team plans to engage security firms to have its contracts audited.
As of this writing, the THORChain network remains halted.
Blockchain cybersecurity firm Halborn Security is compiling a proposal to the THORChain community for “Advance Persistent Protection,” offering up a team of up to half a dozen “ethical security engineers working to break every update on Thorchain.”
Related: A RUNE with a view: How smart crypto traders caught a 48% price pump
THORChain entered into its guarded “Chaosnet” launch during April, facilitating cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash and Binance Chain networks.
DeFi Watch founder Chris Blec said the staged “raise the caps” launch of THORChain had prevented an even greater loss of funds.
Today’s attack is not the first time THORChain has been targeted by hackers during its Chaosnet deployment, with the protocol losing at least $140,000 worth of assets last month.