Code vulnerability puts damper on RUNE’s wild run

One of DeFi’s oldest projects is among the best-performing on the week, but a security vulnerability has derailed the run

by Andrew Thurman /
article-image

Vladimir Kazakov/Shutterstock modified by Blockworks

share

One of the strongest-performing digital assets of the week has been at least temporarily derailed by a code vulnerability. 

On Wednesday, THORChain — among the oldest DeFi projects — announced that the protocol had suspended a number of core functions due to a security vulnerability disclosure in a TSS (threshold signature scheme) library maintained by Binance Smart Chain. 

Over the past three days, the project has suspended functionality for a number of operations relating to their nodes, which rely on the TSS. The project primarily focuses on enabling cross-chain asset swaps with a variety of features. 

The team has stated in public channels that they have a patch for their node operators ready, but are waiting on other projects that rely on the TSS library to prepare their own patches and avoid putting those projects at risk. 

The statement pumped the brakes on what had been a strong run for THORChain’s Rune liquidity token. Rune had rallied 60% on the week in advance of the release of a new lending product, but the surge has stalled with the token dropping 3% on the day. 

Multiple THORChain team members did not respond to requests for comment by the time of publication. 

TSS vulnerability

On Wednesday, the official THORChain Twitter account replied to a tweet announcing that trading had been paused across eight chains, writing that “most TSS libraries in production are vulnerable to a TSS security issue.”

Loading Tweet..

Newsletter

Subscribe to Blockworks Daily

The vulnerability was first discussed in the THORChain developer Discord server on Aug. 13. A team representative wrote that “a recent disclosure to Binance around their TSS implementation has caused them to make a security patch to the code.” 

This prompted the THORSec security advisory and THORNode node operation teams to pause “churning” — the process by which validators are added and removed from the network — until a THORNode patch could be released. Per THORChain documentation, the protocol’s TSS relies primarily on two libraries, including Binance’s.

In an interview with Blockworks, pseudonymous developer GiMa of Maya Protocol — a fork of THORChain — said both teams have a patch ready, but are waiting on other teams to respond to the disclosure before releasing. In a statement on the THORChain Telegram, GiMa added they expect the patch to be released in “24 — 48” hours. 

While it’s unclear how many active teams are potentially affected, Binance Smart Chain’s TSS Github has been forked 50 times in the last two years. 

The THORChain team announced on Tuesday night that due to the vulnerability, security advisors had recommended delaying the launch of a forthcoming lending product. 

Traders have responded to the various disclosures with apprehension, sending the price of Rune down 8% from 24-hour highs, falling to $1.48 from $1.61 per CoinGecko. 

Lending and options

Prior to the TSS disclosures, THORChain’s Rune liquidity token had been on a tear — largely due to anticipation around the lending product.

In a recent Twitter space community call, Thorchain developer Chad Barraford touted the new product as revolutionary. 

“When lending launches, we are, in my view, overnight, going to make the industry look like a bunch of dinosaurs. We’ve developed an entirely different design that makes the old one look like shit, to be honest. It is a very novel idea and experimental,” he said.  

Key features advertised in the THORfi Lending documentation include “0% interest, no liquidations and no expiration.”

However, while THORfi Lending is being marketed as a revolutionary lending platform, many observers have said that it functions closer to an options platform, with the new protocol acting as the issuer. Borrowers take loans denominated in dollar terms, and have the ability to “buy back” their collateral at a particular price. The protocol, meanwhile, sells the collateral at origination, and buys it back at the “exercising” of the option. 

A recent HackMD risk report concluded that “a [THORfi] loan behaves formally the same as an American call option,” and that the risks of the lending product to the wider protocol can be considered in similar terms to those posed to an options issuer.  

Notably, the new product also brings new token economic features. 

One aspect is a significant potential boost in volume for Rune. As with single-sided liquidity deposits into the THORChain DEX as well as certain cross-chain transactions, Rune is used as an intermediary liquidity asset (a BTC to ETH swap is routed through BTC/RUNE, then RUNE/ETH). 

This has led to some speculation that Rune could benefit from additional frequent buy pressure from the protocol itself. Additionally, the lend product will also feature a burn mechanism. 

Despite the recent pump and price volatility, Rune remains down 92% from an all-time high of $21.07 reached in May 2021. 

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

learn more

recent research

Research Report Templates.png

Research

Base Ecosystem Update

An overview of the Base Ecosystem, with a focus on market leaders.

by Daniel Shapiro

/

news

article-image

Empire NewsletterMarkets

A bullish December rally could still be in the books

Although bitcoin hitting $120k by year’s end is looking unlikely

by Katherine Ross /
article-image

DeFiEmpire Newsletter

Hyperliquid could have the most valuable airdrop ever

About 270 million HYPE has been claimed, valued around $7.6 billion

by David Canellis /
article-image

BusinessLightspeed Newsletter

Stanford lab partners with team behind ‘ai16z’ AI agent project

Stanford professors David Mazières and Dan Boneh will lead the lab alongside a cohort of graduate student researchers

by Jack Kubinec /
article-image

AnalysisForward Guidance Newsletter

Taking stock of crypto predictions for 2025

With more companies holding BTC, bitcoin yielding strategies could become “a new corporate finance norm,” CoinShares posed

by Ben Strack /
article-image

0xResearch NewsletterDeFi

Aave governance mulls an exit from Polygon

The proposal comes after Polygon governance considered a controversial use of bridged liquidity for yield

by Donovan Choy /
article-image

0xResearch NewsletterDeFi

Ethereum’s culture clash: Dissent, decentralization and progress

Can the community balance its decentralized ethos with the need for inclusivity and constructive debate?

by Macauley Peterson /