THORChain Joins Immunefi with $500,000 Bug Bounty

THORChain, a decentralized cross-chain liquidity protocol, is joining Immunefi with a $500,000 bug bounty following two multi-million dollar hacks that have left the protocol searching for ways to boost security.

Both hacks occurred within a single week, resulting in losses of $5 million and $8 million, respectively.

THORChain has halted its network to prevent additional exploits and listed a bug bounty on Immunefi for covering the protocol’s highest impact code, with the scope set to increase over time. The point of the bug bounty is to promote responsible disclosure and resume network functionality, namely blocks and node rewards, in addition to processing native RUNE tokens. Nine Realms has also joined the efforts to triage and verify vulnerabilities.

Specifically, the scope is limited to:

-THORChain Tendermint implementation,

-Deposit functionality,

-ETH Router Contract in isolation (without Bifröst interaction)

-ERC20 RUNE Contract in isolation

Other relevant details:

- Hardcap will be 10% of vulnerable funds up to $300k for attacks spanning 30 minutes

- Hardcap will be 10% of vulnerable funds up to $500k for attacks that are immediate (over 1 block)

- Total payout will be limited to $2 million for this initial pool. After TC goes live additional bug bounties will be considered

-Only vulnerabilities rated as “critical” in severity will be accepted under this bug bounty program. In the future, the bug bounty program will expand to include other severity levels.

For more specifics about the program, please see THORChain’s bug bounty page.

THORChain also has two ongoing security audits, one with Halborn and one with Trail of Bits. Until those audits are finished, any issues addressed, and consent from the THORChain community is obtained, depositing, withdrawing, swapping, and all other functionality apart from blocks, node rewards, and processing native RUNE tokens, will remain suspended.

Recovering from hacks is difficult. But the first step to recovery is taking security and responsibility seriously. We applaud THORChain for taking this first step by obtaining a bug bounty, and we welcome vulnerability researchers to submit their finds.

How to Submit a Bug?

Registration is simple. Navigate to https://bugs.immunefi.com, register with an email address, and then when submitting a bug report, choose THORChain as the project. Include as much information as possible.