V12 Says THORChain Silently Patched Its Critical Bug, Then Told Researchers the Bounty Is 'Permanently Retired'
§ 01 Executive Snapshot
- What: V12 reported a critical bug in THORChain, which was patched without credit or bounty payment.
- Who: V12, a security startup; THORChain, a cross-chain liquidity protocol.
- Why it matters: The incident highlights issues in THORChain's security practices and raises concerns about the effectiveness of its bug bounty program.
§ 02 Key Developments
- V12 disclosed a critical bug to THORChain on April 28, which was subsequently patched without acknowledgment or bounty payment.
- THORChain's bug bounty program was reportedly closed due to a high volume of AI-generated submissions, not due to V12's report.
- The protocol lost an estimated $10.7 million in a separate exploit attributed to a proposer-forgery bug on May 15.
§ 03 Strategic Context
- THORChain has faced multiple hacks since 2021, with significant funds lost, raising questions about its security framework and vulnerability management.
- The closure of THORChain's bug bounty program reflects a trend in the crypto space where protocols are struggling to manage security disclosures effectively.
§ 04 Strategic Implications
- The lack of a functioning bug bounty program may deter security researchers from responsibly disclosing vulnerabilities, potentially leading to more exploits.
- V12's plans to publicly release exploit code could embolden malicious actors and create a risk for THORChain's user base.
§ 05 Risks & Constraints
- The potential for unpatched vulnerabilities to be exploited increases operational risks for THORChain and undermines user trust in the protocol.
- Regulatory scrutiny may arise from the public disclosure of vulnerabilities, especially if they lead to further attacks or user losses.
§ 06 Watchlist / Forward Signals
- V12 plans to release additional denial-of-service vulnerabilities related to THORChain in the coming days.
- A formal post-mortem by THORChain on the May 15 exploit could provide insights into its security measures and future bug management strategies.
Frequently Asked Questions
What critical issue did V12 report to THORChain?
V12 reported a critical bug in THORChain, which was patched without acknowledgment or bounty payment.
Why was THORChain's bug bounty program closed?
THORChain's bug bounty program was reportedly closed due to a high volume of AI-generated submissions.
How much money did THORChain lose in a separate exploit?
THORChain lost an estimated $10.7 million in a separate exploit attributed to a proposer-forgery bug.
What are the implications of the lack of a functioning bug bounty program for THORChain?
The lack of a functioning bug bounty program may deter security researchers from responsibly disclosing vulnerabilities, potentially leading to more exploits.
Related Articles
USDT Returns to Bitcoin: RGB and UTEXO Enable Private Lightning Settlements
§ 01 Executive Snapshot What: Tether is set to issue USDT natively on Bitcoin through the RGB protoc
Google Expands AI Training to Include User-Uploaded Media to Search Tools
§ 01 Executive Snapshot What: Google has expanded its AI training data to include user-uploaded medi
Big Banks Eye Payments Deal That Could Rewire Debit Fees
§ 01 Executive Snapshot What: Major U.S. banks are considering acquiring Fiserv's debit card network
Gift Card Loophole Gives Hackers a New Way to Cash Out
§ 01 Executive Snapshot What: A new form of account takeover fraud is emerging through AI platforms