THORChain is back in a security fight, but this time with the whitehats, researchers who report bugs before attackers can exploit them.
The protocol is facing fresh criticism after a security research group V12 said the protocol quietly patched a critical bug and then told researchers its bug bounty program was permanently retired.
The group said in an X post on Monday, June 1, that it reported a "critical loss of funds bug" to THORChain, a cross-chain liquidity protocol that lets users swap native assets across blockchains.
The group said THORChain silently fixed the issue, but didn't pay a bounty.
"They silently patched it and told us their bug bounty program is permanently retired," V12 wrote, adding that the group has more THORChain vulnerabilities related to chain-halt denial-of-service attacks and plans to release them through open disclosure in the coming days.
V12
V12 said in a GitHub proof-of-concept that the bug could let one malicious validator make THORChain treat an unfinished Bitcoin deposit as final, causing the protocol to send out funds before the original transaction was safely confirmed.
As of press time, THORChain made no public statements on the matter.
- The dispute came less than three weeks after THORChain said it lost about $10.7 million in a May 15 exploit.
- THORChain said the attacker was a newly joined node operator who exploited a vulnerability in its signature system
- The protocol halted trading and signing during that incident and later said the remaining four vaults were unaffected.
The latest claim puts THORChain's bounty policy under scrutiny because bug bounties are meant to give researchers a reason to report dangerous bugs privately instead of taking them public.
- Commenting on the dispute, Mitchell Amador, founder of crypto bug bounty platform Immunefi, wrote in response to V12's post that "retiring bug bounty programs is a losing move."
- On-chain anon sleuth ZachXBT also criticized the protocol, writing that "after all of the exploits they had," THORChain should be taking security more seriously.
In 2021, THORChain suffered multiple exploits, including a roughly $5 million liquidity pool hack and another attack estimated near $8 million. Blockchain security firm TRM Labs noted in its blog post that cumulative losses tied to THORChain thefts since 2021 now approach $25 million, including the May 15 incident.
