Code vulnerability puts damper on RUNE’s wild run

One of DeFi’s oldest projects is among the best-performing on the week, but a security vulnerability has derailed the run


Vladimir Kazakov/Shutterstock modified by Blockworks


One of the strongest-performing digital assets of the week has been at least temporarily derailed by a code vulnerability. 

On Wednesday, THORChain — among the oldest DeFi projects — announced that the protocol had suspended a number of core functions due to a security vulnerability disclosure in a TSS (threshold signature scheme) library maintained by Binance Smart Chain. 

Over the past three days, the project has suspended functionality for a number of operations relating to their nodes, which rely on the TSS. The project primarily focuses on enabling cross-chain asset swaps with a variety of features. 

The team has stated in public channels that they have a patch for their node operators ready, but are waiting on other projects that rely on the TSS library to prepare their own patches and avoid putting those projects at risk. 

The statement pumped the brakes on what had been a strong run for THORChain’s Rune liquidity token. Rune had rallied 60% on the week in advance of the release of a new lending product, but the surge has stalled with the token dropping 3% on the day. 

Multiple THORChain team members did not respond to requests for comment by the time of publication. 

TSS vulnerability

On Wednesday, the official THORChain Twitter account replied to a tweet announcing that trading had been paused across eight chains, writing that “most TSS libraries in production are vulnerable to a TSS security issue.”

Loading Tweet..

The vulnerability was first discussed in the THORChain developer Discord server on Aug. 13. A team representative wrote that “a recent disclosure to Binance around their TSS implementation has caused them to make a security patch to the code.” 

This prompted the THORSec security advisory and THORNode node operation teams to pause “churning” — the process by which validators are added and removed from the network — until a THORNode patch could be released. Per THORChain documentation, the protocol’s TSS relies primarily on two libraries, including Binance’s.

In an interview with Blockworks, pseudonymous developer GiMa of Maya Protocol — a fork of THORChain — said both teams have a patch ready, but are waiting on other teams to respond to the disclosure before releasing. In a statement on the THORChain Telegram, GiMa added they expect the patch to be released in “24 — 48” hours. 

While it’s unclear how many active teams are potentially affected, Binance Smart Chain’s TSS Github has been forked 50 times in the last two years. 

The THORChain team announced on Tuesday night that due to the vulnerability, security advisors had recommended delaying the launch of a forthcoming lending product. 

Traders have responded to the various disclosures with apprehension, sending the price of Rune down 8% from 24-hour highs, falling to $1.48 from $1.61 per CoinGecko. 

Lending and options

Prior to the TSS disclosures, THORChain’s Rune liquidity token had been on a tear — largely due to anticipation around the lending product.

In a recent Twitter space community call, Thorchain developer Chad Barraford touted the new product as revolutionary. 

“When lending launches, we are, in my view, overnight, going to make the industry look like a bunch of dinosaurs. We’ve developed an entirely different design that makes the old one look like shit, to be honest. It is a very novel idea and experimental,” he said.  

Key features advertised in the THORfi Lending documentation include “0% interest, no liquidations and no expiration.”

However, while THORfi Lending is being marketed as a revolutionary lending platform, many observers have said that it functions closer to an options platform, with the new protocol acting as the issuer. Borrowers take loans denominated in dollar terms, and have the ability to “buy back” their collateral at a particular price. The protocol, meanwhile, sells the collateral at origination, and buys it back at the “exercising” of the option. 

A recent HackMD risk report concluded that “a [THORfi] loan behaves formally the same as an American call option,” and that the risks of the lending product to the wider protocol can be considered in similar terms to those posed to an options issuer.  

Notably, the new product also brings new token economic features. 

One aspect is a significant potential boost in volume for Rune. As with single-sided liquidity deposits into the THORChain DEX as well as certain cross-chain transactions, Rune is used as an intermediary liquidity asset (a BTC to ETH swap is routed through BTC/RUNE, then RUNE/ETH). 

This has led to some speculation that Rune could benefit from additional frequent buy pressure from the protocol itself. Additionally, the lend product will also feature a burn mechanism. 

Despite the recent pump and price volatility, Rune remains down 92% from an all-time high of $21.07 reached in May 2021. 

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research report - cover graphics (1).jpg


In this report, we dive into crypto private market data to gather insights on where the future of the industry is headed. Despite a notable downturn in private raises, capital continues to infuse promising projects that aim to transform payments, banking, consumer experiences, community, and more, with 2023 being the fourth-largest year for crypto venture capital.


BUZZ holds shares of Coinbase, Robinhood and MicroStrategy


Opinion: Even though I didn’t pay for my “Diamond Hands” burger with BTC, don’t let that fool you into thinking that crypto’s development is futile


The results mark “a major positive inflection point,” one analyst says, as the exchange carries net income momentum into a crypto rally


While the slate of 10 US spot bitcoin funds have tallied $4.6 billion of net inflows thus far, half of the field is lagging the leaders


Trading volumes totalled $154 billion in Q4, including $125 billion in institutional volume


DeFi on Bitcoin is all the rage right now and Stacks is positioned to benefit