defirisk.co
rubric v1.7.0

THORChain: Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse

THORChain was hit for $8M ten days after its first hack, when an attacker deployed a fake Asgard vault to trigger THORChain's automatic refund logic and extract real assets using a malicious transaction MEMO.

Occurred 2021-07-26 Loss $8M Status closed

Summary #

THORChain suffered a Cross-Chain DEX / AMM / Bridge on 2021-07-26, resulting in a loss of approximately $8M.

What happened #

THORChain was hit for $8M ten days after its first hack, when an attacker deployed a fake Asgard vault to trigger THORChain's automatic refund logic and extract real assets using a malicious transaction MEMO.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — same MCCN Bifrosts, new vulnerability found by different attacker in same unaudited component] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — same MCCN Bifrosts, new vulnerability found by different attacker in same unaudited component]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No (hacker demanded 10% bounty be established; THORChain committed to one post-incident)]
  • RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: MCCN launched early 2021; exploit 10 days after exploit 1]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attack observation noted at 21:42 GMT on 2021-07-22 (4 days before main exploit); series of preparatory transactions; Tornado Cash funding]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — same MCCN Bifrosts, new vulnerability found by different attacker in same unaudited component]