Code vulnerability puts damper on RUNE’s wild run

One of DeFi’s oldest projects is among the best-performing on the week, but a security vulnerability has derailed the run

by Andrew Thurman /
article-image

Vladimir Kazakov/Shutterstock modified by Blockworks

share

One of the strongest-performing digital assets of the week has been at least temporarily derailed by a code vulnerability. 

On Wednesday, THORChain — among the oldest DeFi projects — announced that the protocol had suspended a number of core functions due to a security vulnerability disclosure in a TSS (threshold signature scheme) library maintained by Binance Smart Chain. 

Over the past three days, the project has suspended functionality for a number of operations relating to their nodes, which rely on the TSS. The project primarily focuses on enabling cross-chain asset swaps with a variety of features. 

The team has stated in public channels that they have a patch for their node operators ready, but are waiting on other projects that rely on the TSS library to prepare their own patches and avoid putting those projects at risk. 

The statement pumped the brakes on what had been a strong run for THORChain’s Rune liquidity token. Rune had rallied 60% on the week in advance of the release of a new lending product, but the surge has stalled with the token dropping 3% on the day. 

Multiple THORChain team members did not respond to requests for comment by the time of publication. 

TSS vulnerability

On Wednesday, the official THORChain Twitter account replied to a tweet announcing that trading had been paused across eight chains, writing that “most TSS libraries in production are vulnerable to a TSS security issue.”

Loading Tweet..

The vulnerability was first discussed in the THORChain developer Discord server on Aug. 13. A team representative wrote that “a recent disclosure to Binance around their TSS implementation has caused them to make a security patch to the code.” 

This prompted the THORSec security advisory and THORNode node operation teams to pause “churning” — the process by which validators are added and removed from the network — until a THORNode patch could be released. Per THORChain documentation, the protocol’s TSS relies primarily on two libraries, including Binance’s.

In an interview with Blockworks, pseudonymous developer GiMa of Maya Protocol — a fork of THORChain — said both teams have a patch ready, but are waiting on other teams to respond to the disclosure before releasing. In a statement on the THORChain Telegram, GiMa added they expect the patch to be released in “24 — 48” hours. 

While it’s unclear how many active teams are potentially affected, Binance Smart Chain’s TSS Github has been forked 50 times in the last two years. 

The THORChain team announced on Tuesday night that due to the vulnerability, security advisors had recommended delaying the launch of a forthcoming lending product. 

Traders have responded to the various disclosures with apprehension, sending the price of Rune down 8% from 24-hour highs, falling to $1.48 from $1.61 per CoinGecko. 

Lending and options

Prior to the TSS disclosures, THORChain’s Rune liquidity token had been on a tear — largely due to anticipation around the lending product.

In a recent Twitter space community call, Thorchain developer Chad Barraford touted the new product as revolutionary. 

“When lending launches, we are, in my view, overnight, going to make the industry look like a bunch of dinosaurs. We’ve developed an entirely different design that makes the old one look like shit, to be honest. It is a very novel idea and experimental,” he said.  

Key features advertised in the THORfi Lending documentation include “0% interest, no liquidations and no expiration.”

However, while THORfi Lending is being marketed as a revolutionary lending platform, many observers have said that it functions closer to an options platform, with the new protocol acting as the issuer. Borrowers take loans denominated in dollar terms, and have the ability to “buy back” their collateral at a particular price. The protocol, meanwhile, sells the collateral at origination, and buys it back at the “exercising” of the option. 

A recent HackMD risk report concluded that “a [THORfi] loan behaves formally the same as an American call option,” and that the risks of the lending product to the wider protocol can be considered in similar terms to those posed to an options issuer.  

Notably, the new product also brings new token economic features. 

One aspect is a significant potential boost in volume for Rune. As with single-sided liquidity deposits into the THORChain DEX as well as certain cross-chain transactions, Rune is used as an intermediary liquidity asset (a BTC to ETH swap is routed through BTC/RUNE, then RUNE/ETH). 

This has led to some speculation that Rune could benefit from additional frequent buy pressure from the protocol itself. Additionally, the lend product will also feature a burn mechanism. 

Despite the recent pump and price volatility, Rune remains down 92% from an all-time high of $21.07 reached in May 2021. 

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Unlocked by Template.jpg

Research

Bitcoin Expressivity with BitcoinOS

The BitcoinOS team is the first to have developed and posted a ZK-compressed proof on the Bitcoin network. Other proof verification efforts have been limited to the Signet or testnet deployments. Their work has resulted in the development of BitSNARK, a software library for ZK-compressed fraud proofs on the Bitcoin network. The project aims to provide a horizontal scaling solution, offering a one-stop shop for teams interested in developing a rollup on Bitcoin. This approach shares similarities with the horizontal tech stack scaling in other ecosystems like Cosmos and Optimism, particularly in its focus on simplified verification, bridging standards, and lightweight interoperability.

by 0xMims

/

news

article-image

Analysis

Crypto monthly active addresses are hitting all-time highs: A16z

A16z’s State of Crypto report shows that DeFi has the largest number of daily active addresses, with stablecoins following closely behind

by Katherine Ross /
article-image

DeFi

Conduit sees path to gigagas throughput with new sequencer

G2 is delivering real-world performance breakthroughs at 50-100 Mgas/s, Conduit says

by Macauley Peterson /
article-image

Analysis

Memecoin conceived by AI trumps Trump-linked token sale

World Liberty Financial’s token sale debuted just as an absurd AI-fueled memecoin captured crypto’s attention

by David Canellis /
article-image

Empire Newsletter

World Liberty Financial’s presale overshadowed by memecoin-shilling AI

Plus, would crypto be better out of the limelight?

by Katherine Ross&David Canellis /
article-image

Policy

Coinbase continues with SEC lawsuit over denied FOIA request 

Coinbase hired History Associates in 2023 to assist in retrieving records from the SEC and FDIC

by Casey Wagner /
article-image

Forward Guidance Newsletter

VP Harris’s latest crypto comments fall short on details

Hours after pledging to support Black men’s rights to safely invest in crypto, VP Harris’s Monday night speech mentioned blockchain zero times

by Casey Wagner&Ben Strack /