Cross-chain protocol THORChain (RUNE) has suffered around $8 million in losses in a new exploit today – its second hack in just over a week.

The attack targeted the platform’s ETH router, with the hacker surprisingly stealing less funds than they could have made away with. 

About the Exploit

The exploit took advantage of THORChain’s ETH router, which controls the movement of Ethereum-based tokens through the project’s cross-chain decentralized exchange

The exact mechanics of the exploit are still to be disclosed, however the attacker managed to drain significant amounts of USDC Coin (USDC), Sushi ((SUSHI), Yearn Finance (YFI), Tether (USDT), Alchemix (ALCX) and XRUNE Token (XRUNE). The total value of tokens drained amounted to around $8 million.

The attacker then offloaded all of the proceeds via decentralized exchanges Uniswap and SushiSwap at extremely high slippage, securing around $4.1 million in ETH.

Interestingly, the hacker left a message on one of the transactions indicating that they could have taken several other assets from the protocol if they so desired. They also added that a 10% value-at-risk bounty would have prevented the attack, as well as warning against rushing code that controls such a large sum of funds.

THORChain’s Response

The THORChain team has halted the functionality of the ETH router until it has been peer-reviewed with audit partners. This will disable any further transfer of Ethereum-based assets via the platform. Liquidity providers in the ERC20 token pools will also be compensated.

An additional tweet from the team said that they would be willing to award the requested 10% bounty if the hacker reaches out, out of the project’s treasury. 

The attack is the second in just eight days, the first of which resulted in more than $6 million in losses.