Security Snag Interrupts RUNE’s Meteoric Ascent

THORChain’s digital token, RUNE, recently experienced a surprising pause in its stellar performance due to a significant coding vulnerability. This development came at an inopportune moment as the RUNE token had been enjoying a 60% rally in the week leading up to the planned release of a new, groundbreaking lending product.

On this recent Wednesday, THORChain, one of the pioneers in the DeFi space, revealed that it had temporarily halted several key functions of its protocol. The reason? A security vulnerability in the TSS (Threshold Signature Scheme) library, which is maintained by Binance Smart Chain. The fallout from this revelation has impacted various operations related to the project’s nodes, as they depend heavily on the TSS. Notably, THORChain is designed to facilitate cross-chain asset swaps, boasting an array of features.

According to public statements by the team, a patch for node operators is ready. However, its deployment is on hold until other projects using the TSS library can secure their own patches. This precautionary move aims to prevent these dependent projects from being exposed to unnecessary risks.

A responsible disclosure indicates that most TSS libraries in production are vulnerable to a TSS security issue.

All users of GG18/GG20 should reach out to TC core devs immediately.

THORChain has paused key-signing until a patch can be released. https://t.co/qRrcrva9er

— THORChain (@THORChain) August 16, 2023

 

 

This security disclosure acted as a cold shower for the hot streak that THORChain’s RUNE token had been on. Despite the strong rally, the disclosure led to a 3% dip in RUNE’s value on the day of the announcement.

Delving into the details, official communications from the THORChain Twitter account confirmed that a majority of the TSS libraries currently in use are susceptible to the identified security issue. This vulnerability was initially highlighted on Aug. 13 in the THORChain developer Discord server, where a team representative noted that a disclosure to Binance regarding their TSS implementation had led Binance to initiate a security code patch.

What is THORChain?

THORChain is a decentralized cross-chain liquidity protocol that enables seamless asset swaps across various blockchain networks. It functions as a settlement layer, facilitating smooth exchanges between eight prominent chains: Bitcoin, Ethereum, Binance Chain, Avalanche, Cosmos Hub, Dogecoin, Litecoin, and Bitcoin Cash.

What is RUNE?

RUNE serves as the native token of THORChain and plays a crucial role in upholding the ecosystem by offering essential economic incentives that safeguard the network. Moreover, all liquidity within the system is connected to the RUNE token.

Additionally, THORChain nodes must meet specific participation criteria, requiring them to contribute a designated amount of RUNE. Furthermore, THORChain RUNE finds utility in paying transaction fees within the network and participating in the governance and management of THORChain’s operations.

THORChain’s Response: Decisive Action

Just like in the past, THORChain showed that it treats security seriously. In light of the situation, both the THORSec security advisory and THORNode node operation teams took decisive action. They suspended “churning”—a process that controls the addition and removal of validators from the network—until an appropriate THORNode patch can be safely issued. According to THORChain’s own documentation, the protocol’s TSS relies on two primary libraries, one of which belongs to Binance.

In an interview, the pseudonymous developer GiMa from Maya Protocol, which is a fork of THORChain, mentioned that both teams have prepared a patch. They are, however, patiently waiting for other affected teams to respond to the disclosure before going public with it. GiMa predicts the patch’s release could happen within 24 to 48 hours from their statement.

The vulnerability’s scope might extend far and wide. The TSS library from Binance Smart Chain has been forked 50 times over the past two years, indicating that numerous teams could potentially be impacted.

On Tuesday night prior to the public announcement, the THORChain team received advice from security experts to postpone the launch of an eagerly-awaited lending product due to the existing vulnerability.

Investors, understandably shaken by these security revelations, reacted by pushing RUNE’s price down by 8%, going from $1.61 to $1.48 according to CoinGecko data.

THORfi Lending

Before this security disclosure, anticipation surrounding THORChain’s innovative lending product had been a major driver of RUNE’s surge. In a community call, THORChain developer Chad Barraford heralded this new lending product as revolutionary, with enticing features such as “0% interest, no liquidations, and no expiration”.

Why the THORFi Lending design is so important for the entire #DeFi industry.
A loan with these characteristics, 0% interest, no liquidation, and no expiration makes it the lowest-risk loan in #DeFi, maybe even including #CeFi. pic.twitter.com/1Piw178IAq

— Chad Barraford (@CBarraford) November 29, 2022

Interestingly, although THORfi Lending is advertised as a revolutionary lending platform, numerous observers view it as functioning more similarly to an options platform. In this setup, the new protocol would act as the issuer. A recent HackMD risk report supported this perspective, likening a THORfi loan to an American call option.

Furthermore, this lending product is expected to introduce new dynamics to RUNE’s token economy. Notably, it is predicted to generate increased volume for RUNE, which acts as an intermediary liquidity asset in certain transactions within the THORChain ecosystem.

Despite RUNE’s recent spike and price fluctuations, it is worth noting that the token is still down 92% from its all-time high of $21.07, which was reached in May 2021.

Related News