Weekly Dev Update #101

THORChain Weekly Dev Update for Week 101, 26 July-1 August; Updated Plan/Timeline, Security Audits, Bounty Program, MCCN Updates, Community Updates

Summary

Review of the second ETH exploit showed a weakness between ETH Router and Bifrsot and has shown the need for greater scrutiny of the code. Two security audit firms engaged to audit code for a formal review, whitehat hackers engaged for an informal review and bug bounty program released for incentives and responsible disclosure. A plan forward has been laid out and a rough timeline to set expectation delivered.

Planned Path Forward

1. Evaluate (internal and external) all code-paths relating to MsgDeposit (bond/unbond/leave/swap/add/remove, using THOR.RUNE) which will be the only allowed action when the chain restarts.

2. Once externally signed off (NineRealms OpsSec team to give the ok) chain will be restarted in a particular fashion: make update, but quickly kill the Bifrost (to stop external chain observations_. This is because the ChainHalt feature is not yet live, so the network needs to be isolated from external inbounds during the 2/3rds->100% update window.

3. With the chain restarted, block rewards will flow again, paying Nodes and LPs. Nodes (Active and Standby) will be back paid for the days the chain was halted. A restarted chain means updates can be pushed out to address bugs and add security features — with inbounds halted.

4. Ragnarok SCCN — this is a liability that needs to be addressed whilst audits are underway.

5. Halborn and Tail of Bits to pass review on successive chain clients, as well as swap/add liquidity code paths. Once passed, chain clients will be successively restarted. BNB, then UTXO, then ETH being last.

6. ETH will finally be addressed. The decision to drop ERC-20’s (or not) will be made here.

7. Network fully operational, Audits completed.

Timeline

Draft timeline created. All timelines are indicative and the team is seeking to expedite as much as possible. Simple Gantt-like view of stages & activities; https://www.notion.so/tc-contributor/8c08daa568f149a0be096a626357233c?v=323951fdad3444c8ac08a76eea31f456

Major streams of work & action items

https://www.notion.so/tc-contributor/5577d8fe4e1a446d9c7d11adee3de5f4?v=2a3418de40a44e718acf53f3a786bec7

Security Audits / Review Update

Halborn and Tail of Bits to conduct security audits for a structured review of the code. Halboun Schedule here

Security code walk through for whitehat hackers and auditors conducted allowing unstructured review of the code.

Halborn Incident Analysis of the 2nd ETH Hack can be found here.

Bounty Program Released

Formal Bounty Program run by Immuniefy and Nine Realms was released. Up to $500,000 will be awarded. Bugs can be submitted at https://bugs.immunefi.com. Nine Realms will assist with triage.

Read the full details here https://medium.com/immunefi/thorchain-joins-immunefi-with-500-000-bug-bounty-52a5ddcb2713.

4000 rune bounty announced for bare metal guide shell/secrets access issues. See https://hildisviniottar.medium.com/vultr-bare-metal-thorchain-validator-setup-guide-a743c8e7561c , Full details here. Disclosure of bugs to https://bugs.immunefi.com. This bounty Ends 31 Aug 2021.

Last call for SCCN (BEPSWAP) before Ragnarok!

Very soon THORChain will move to Ragnarok Single Chain Chaosnet. The time is now to withdraw any funds.

Post-mortem: ETH Router Exploits 1 & 2, and premature Return To Trading Incident

Post-mortem of Exploits, lessons learnt and detailing THORChain’s 5 Pronged Recovery Plan Update:
1) Stop and Audit (Halborn + Trail Of Bits)
2) Red-teams (Halborn + THORSec team)
3) Bounty Program (Immunify)
4) Harden the Protocol (6 new features added)
5) Insure the TVL. Tidal, more coming.

Read all about it here: https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb

Completed Merge Requests of note:

Resolve “Affiliate Fee limit”

Resolves an issue where more funds can be taken in Affiliate Fees than was sent in to the network. https://gitlab.com/thorchain/thornode/-/merge_requests/1834

[bugfix] halt should include synth source assets

Fixes a bug where if a synth is the source asset, it would not be flagged for halt trading for a specific chain

https://gitlab.com/thorchain/thornode/-/merge_requests/1823

Only parse event that is emit by THORChain Router

Checks to ensure events observed are form the real THORChain Router.

https://gitlab.com/thorchain/thornode/-/issues/1053

Whitelist smart contract address

Whitelist Ethereum smart contract address THORChain interacts with.

https://gitlab.com/thorchain/thornode/-/merge_requests/1821

Resolve “ADD: chain-specific halt trading”

Allows stopping of specific chains.

https://gitlab.com/thorchain/thornode/-/merge_requests/1807

[bugfix] `IsRune` shouldn’t check cross env

Fixes synth minting bug

https://gitlab.com/thorchain/thornode/-/merge_requests/1838

Updates

No THORNode MCCN updates — on 0.62.1.

Ethereum daemon client Geth update: 1.10.4 => 1.10.6

https://github.com/ethereum/go-ethereum/releases/tag/v1.10.6 Ethereum LONDON update on mainnet happens on August 4th 2021, all NOs needs to be running the latest version of the client before it happens.

Community Updates

GrassRoots Crypto Update (19/07–30/07)

- A Liquidity Pool Example — High Level Released
- Edited THORChain Code Walk-through
- Wrote Synthetic Asset Model for docs
- Hacks video released and extra info posted at https://grassrootscrypto.io/defi/thorchain/thorfi/thorchain-hack-overview/
Upcoming video
- A Liquidity Pool Example — The Details

https://www.youtube.com/c/GrassRootsCrypto/

Dragons’ Dex — Weekly Update (26 July — 1 Aug)

- Dragons’ Eye: recognizing BTC, LTC and ETH chains & addresses
- Dragons’ Eye: added prices and asset icons
- xchain-dart: added lite-clients for LTC & BTC
- xchain-dart: identifying single-chain & multi-chain addresses
- xchain-dart: extended test-cases

https://twitter.com/DragonsDex

See video: https://twitter.com/DragonsDex/status/1421368882837737473?s=20

DEVOps Weekly Update (7/26–8/1)

cluster-launcher

- Update dependencies and upgrade Kubernetes to Version 1.21 on Azure [WIP]
- Update dependencies and upgrade Kubernetes to Version 1.21 on hcloud [WIP]
- Add VolumeSnapshot feature to both providers [WIP]
- VolumeSnapshot not available on Linode (deprecating)
- Hetzner bare-metal preparations

THORmon

Frontend
- Convert network genesis date
- Modular header [WIP]
- Colored Rows Churn [WIP]

Backend
- Staging environment adaptations and cleanups

TRX1’s Weekly Dev Report (26/07–01/08)

THORChain Monitoring bot
- Larges swap/refund/donate/switch notifications logic improvements
- Testing new notifications using various real-life data

Runiverse
- Coding graphics for pool representation.

Thorboard Weekly Update (7/26–8/01)

-implement dev dashboard for new feature development and UI feedback
-improved UI for standby and active nodes
-correcting node status logic
-develop new features with protocol reserves & advanced LP revenue
-explore improvements to overall loading performance & auto refreshing data

block42 Weekly Dev Report

Brokkr

- Go-Live of minting/redeeming from L1 assets
- Implemented L1 Swaps on Testnet
- Show asset balances in dropdown
- Simplified the UI by removing tabs
- Restricting Txs when user has insufficient funds

You can follow Brokkr updates here: Twitter: @Brokkrfinance Telegram channel: https://t.me/brokkrfinance

Bridges

How to bridge to THORChain? This is a serious undertaking, a dev should be sponsored for 6–12 months:

1. Read https://gitlab.com/thorchain/thornode/-/blob/develop/docs/newchain.md and https://docs.thorchain.org/chain-clients/overview
2. Implement the Chain Client https://gitlab.com/thorchain/thornode/-/tree/develop/bifrost/pkg/chainclients
3. Add to Node Launcher https://gitlab.com/thorchain/devops/node-launcher
4. Add to XChainJs https://github.com/xchainjs/xchainjs-lib
5. Launch on Mocknet — demo to community
6. Launch on Testnet, stabilise. Must be run successfully for a few weeks with no issues.
7. Launch on Mainnet, stabilise
8. Maintain the chain client, be on deck for hard forks, client updates and more.

Deployed to MCCN

• Bitcoin: Deployed to chaosnet
• Ethereum: Deployed to chaosnet
• BitcoinCash: Deployed to chaosnet
• Litecoin: Deployed to chaosnet

UTXO Chains

• Dogecoin: Complete, will be activated after MCCN
• ZCash: Scoped, rain-checked
• Decred — Ongoing
• Dash — Ongoing

Cryptonote

• Haven: [paused due XHV bandwidth]
• Monero: Pending Haven implementation

Custom

• Cardano — Scoping
• Polkadot: [depends on THORNode ED25519]
• Avalanche: Scoped, WIP with team to investigate options
• Zilliqa: Scoped, rain-checked
• Solana: [depends on THORNode ED25519]

EVM Chains

• Binance Smart Chain: Likely after MCCN
• Ethereum Classic: Rain-checked
• Rootstock: Rain-checked
• Arbitrum: Rain-checked

IBC

A development partner has been found and will begin building IBC bridges.

Pending IBC integration — Cosmos, Terra, Kava, Secret Network, Injective Protocol, Sifchain, Akash Network.

Next Milestones

• Security Audits of Code (structured and unstructured)
• Restart the THORChain Blockchain
• Ragnarok (Shutdown) SCCN
• Restart External Chains

Community

To keep up to date, please monitor community channels, particularly Telegram and Twitter:

• Twitter: https://twitter.com/thorchain_org
• Telegram Community: https://t.me/thorchain_org
• Telegram Announcements: https://t.me/thorchain
• Reddit: https://reddit.com/r/thorchain
• Gitlab (primary): https://gitlab.com/thorchain
• Github (secondary): https://github.com/thorchain
• Medium: https://medium.com/thorchain