One of the strongest-performing digital assets of the week has been at least temporarily derailed by a code vulnerability.
On Wednesday, THORChain — among the oldest DeFi projects — announced that the protocol had suspended a number of core functions due to a security vulnerability disclosure in a TSS (threshold signature scheme) library maintained by Binance Smart Chain.
Over the past three days, the project has suspended functionality for a number of operations relating to their nodes, which rely on the TSS. The project primarily focuses on enabling cross-chain asset swaps with a variety of features.
The team has stated in public channels that they have a patch for their node operators ready, but are waiting on other projects that rely on the TSS library to prepare their own patches and avoid putting those projects at risk.
The statement pumped the brakes on what had been a strong run for THORChain’s Rune liquidity token. Rune had rallied 60% on the week in advance of the release of a new lending product, but the surge has stalled with the token dropping 3% on the day.
Multiple THORChain team members did not respond to requests for comment by the time of publication.
TSS vulnerability
On Wednesday, the official THORChain Twitter account replied to a tweet announcing that trading had been paused across eight chains, writing that “most TSS libraries in production are vulnerable to a TSS security issue.”
A responsible disclosure indicates that most TSS libraries in production are vulnerable to a TSS security issue.
— THORChain (@THORChain) August 16, 2023
All users of GG18/GG20 should reach out to TC core devs immediately.
THORChain has paused key-signing until a patch can be released. https://t.co/qRrcrva9er
The vulnerability was first discussed in the THORChain developer Discord server on Aug. 13. A team representative wrote that “a recent disclosure to Binance around their TSS implementation has caused them to make a security patch to the code.”
This prompted the THORSec security advisory and THORNode node operation teams to pause “churning” — the process by which validators are added and removed from the network — until a THORNode patch could be released. Per THORChain documentation, the protocol’s TSS relies primarily on two libraries, including Binance’s.
In an interview with Blockworks, pseudonymous developer GiMa of Maya Protocol — a fork of THORChain — said both teams have a patch ready, but are waiting on other teams to respond to the disclosure before releasing. In a statement on the THORChain Telegram, GiMa added they expect the patch to be released in “24 — 48” hours.
While it’s unclear how many active teams are potentially affected, Binance Smart Chain’s TSS Github has been forked 50 times in the last two years.
The THORChain team announced on Tuesday night that due to the vulnerability, security advisors had recommended delaying the launch of a forthcoming lending product.
Traders have responded to the various disclosures with apprehension, sending the price of Rune down 8% from 24-hour highs, falling to $1.48 from $1.61 per CoinGecko.
Lending and options
Prior to the TSS disclosures, THORChain’s Rune liquidity token had been on a tear — largely due to anticipation around the lending product.
In a recent Twitter space community call, Thorchain developer Chad Barraford touted the new product as revolutionary.
“When lending launches, we are, in my view, overnight, going to make the industry look like a bunch of dinosaurs. We’ve developed an entirely different design that makes the old one look like shit, to be honest. It is a very novel idea and experimental,” he said.
Key features advertised in the THORfi Lending documentation include “0% interest, no liquidations and no expiration.”
However, while THORfi Lending is being marketed as a revolutionary lending platform, many observers have said that it functions closer to an options platform, with the new protocol acting as the issuer. Borrowers take loans denominated in dollar terms, and have the ability to “buy back” their collateral at a particular price. The protocol, meanwhile, sells the collateral at origination, and buys it back at the “exercising” of the option.
A recent HackMD risk report concluded that “a [THORfi] loan behaves formally the same as an American call option,” and that the risks of the lending product to the wider protocol can be considered in similar terms to those posed to an options issuer.
Notably, the new product also brings new token economic features.
One aspect is a significant potential boost in volume for Rune. As with single-sided liquidity deposits into the THORChain DEX as well as certain cross-chain transactions, Rune is used as an intermediary liquidity asset (a BTC to ETH swap is routed through BTC/RUNE, then RUNE/ETH).
This has led to some speculation that Rune could benefit from additional frequent buy pressure from the protocol itself. Additionally, the lend product will also feature a burn mechanism.
Despite the recent pump and price volatility, Rune remains down 92% from an all-time high of $21.07 reached in May 2021.