Code vulnerability puts damper on RUNE’s wild run

One of DeFi’s oldest projects is among the best-performing on the week, but a security vulnerability has derailed the run

article-image

Vladimir Kazakov/Shutterstock modified by Blockworks

share

One of the strongest-performing digital assets of the week has been at least temporarily derailed by a code vulnerability. 

On Wednesday, THORChain — among the oldest DeFi projects — announced that the protocol had suspended a number of core functions due to a security vulnerability disclosure in a TSS (threshold signature scheme) library maintained by Binance Smart Chain. 

Over the past three days, the project has suspended functionality for a number of operations relating to their nodes, which rely on the TSS. The project primarily focuses on enabling cross-chain asset swaps with a variety of features. 

The team has stated in public channels that they have a patch for their node operators ready, but are waiting on other projects that rely on the TSS library to prepare their own patches and avoid putting those projects at risk. 

The statement pumped the brakes on what had been a strong run for THORChain’s Rune liquidity token. Rune had rallied 60% on the week in advance of the release of a new lending product, but the surge has stalled with the token dropping 3% on the day. 

Multiple THORChain team members did not respond to requests for comment by the time of publication. 

TSS vulnerability

On Wednesday, the official THORChain Twitter account replied to a tweet announcing that trading had been paused across eight chains, writing that “most TSS libraries in production are vulnerable to a TSS security issue.”

Loading Tweet..

The vulnerability was first discussed in the THORChain developer Discord server on Aug. 13. A team representative wrote that “a recent disclosure to Binance around their TSS implementation has caused them to make a security patch to the code.” 

This prompted the THORSec security advisory and THORNode node operation teams to pause “churning” — the process by which validators are added and removed from the network — until a THORNode patch could be released. Per THORChain documentation, the protocol’s TSS relies primarily on two libraries, including Binance’s.

In an interview with Blockworks, pseudonymous developer GiMa of Maya Protocol — a fork of THORChain — said both teams have a patch ready, but are waiting on other teams to respond to the disclosure before releasing. In a statement on the THORChain Telegram, GiMa added they expect the patch to be released in “24 — 48” hours. 

While it’s unclear how many active teams are potentially affected, Binance Smart Chain’s TSS Github has been forked 50 times in the last two years. 

The THORChain team announced on Tuesday night that due to the vulnerability, security advisors had recommended delaying the launch of a forthcoming lending product. 

Traders have responded to the various disclosures with apprehension, sending the price of Rune down 8% from 24-hour highs, falling to $1.48 from $1.61 per CoinGecko. 

Lending and options

Prior to the TSS disclosures, THORChain’s Rune liquidity token had been on a tear — largely due to anticipation around the lending product.

In a recent Twitter space community call, Thorchain developer Chad Barraford touted the new product as revolutionary. 

“When lending launches, we are, in my view, overnight, going to make the industry look like a bunch of dinosaurs. We’ve developed an entirely different design that makes the old one look like shit, to be honest. It is a very novel idea and experimental,” he said.  

Key features advertised in the THORfi Lending documentation include “0% interest, no liquidations and no expiration.”

However, while THORfi Lending is being marketed as a revolutionary lending platform, many observers have said that it functions closer to an options platform, with the new protocol acting as the issuer. Borrowers take loans denominated in dollar terms, and have the ability to “buy back” their collateral at a particular price. The protocol, meanwhile, sells the collateral at origination, and buys it back at the “exercising” of the option. 

A recent HackMD risk report concluded that “a [THORfi] loan behaves formally the same as an American call option,” and that the risks of the lending product to the wider protocol can be considered in similar terms to those posed to an options issuer.  

Notably, the new product also brings new token economic features. 

One aspect is a significant potential boost in volume for Rune. As with single-sided liquidity deposits into the THORChain DEX as well as certain cross-chain transactions, Rune is used as an intermediary liquidity asset (a BTC to ETH swap is routed through BTC/RUNE, then RUNE/ETH). 

This has led to some speculation that Rune could benefit from additional frequent buy pressure from the protocol itself. Additionally, the lend product will also feature a burn mechanism. 

Despite the recent pump and price volatility, Rune remains down 92% from an all-time high of $21.07 reached in May 2021. 


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Permissionless is a conference for founders, application developers, and users. Come meet the next generation of people building and using crypto.

recent research

Research Report Templates (1).png

Research

Solana Mobile is a highly ambitious foray into the mobile consumer hardware market, seeking to open up a crypto-native distribution channel for mobile-first applications. The market for Solana Mobile devices has demonstrated a phenomenon whereby external market actors (e.g. Solana-native projects) continuously underwrite subsidies to Mobile consumers. The value of these subsidies, coming in the form of airdrops, trial programs, and exclusive NFT mints, have consistently covered the cost of the phone and generated positive returns for consumers. Given this trend in subsidies, the unit economics in the market for Mobile devices, and the initial growth rate and trajectory of sales, it should be expected that Solana mobile can clear 1M to 10M units over the coming years. As more devices circulate amongst users, Solana Mobile presents a promising venue for the emergence of killer-applications uniquely enabled by this mobile-first, crypto-native distribution channel.

article-image

Plus, breaking down Donald Trump’s shifting crypto stance

article-image

Markets are holding relatively steady despite the supply shock

article-image

Analysts are looking ahead to August, a historically volatile month made more interesting this year by the US presidential election

article-image

Plus, a look into Lighting Labs’ newest feature

article-image

Crypto’s Wild West era is over — it’s time to embrace regulation to secure the future of digital assets

article-image

Plus, Solana has now surpassed Ethereum in trailing 30-day decentralized exchange volume