Weekly Dev Update #99

Summary

THORChain ETH Router Upgrade Postmortum was released, new exploit detected, chain halted. Proposals for greater chain controls received.

ETH Exploit Halted Trading

Exploit of the bifrost was detected and trading was paused on the 16th of July.

• The bug is in the ETH Bifrost, and not the router
• The attacker wrapped the router with their own contract, which they called with a msg.value of 200, but their own contract called into the router with a call value of 0 and a deposit amount of 0
• The bifrost ultimately read the msg.value, with is 200, and not the final deposit amount, which was 0 Bifrost reads the deposit amount of 0: https://gitlab.com/thorchain/thornode/-/blob/develop/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L794 Bifrost over-rides back to tx.value() https://gitlab.com/thorchain/thornode/-/blob/develop/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L856
• The reason why the over-ride is to facilitate another router function of vaultTransferEvent where msg.value needs to be parsed.
• The fix is to make the over-ride only happen if it specifically is a vaultTransferEvent Next steps will be established soon, including recovery and return to solvency.

Loss of approx ~$4.9mm USD was taken. Output ETH Tx of the hacker will be stopped to reduce the losses.

Post-mortem: ETH Router Upgrade

On 9th July 2021, a whitehat discovered a vulnerability in the THORChain router when dealing with ERC-777 tokens and worked with the team to rescue the funds back to the THORStarter deployer account.

Full details at: https://medium.com/thorchain/post-mortem-eth-router-upgrade-62ecddd2e5fe

UPDATE 0.59.1

1. [BUG] ETH chain router upgrade. pr: https://gitlab.com/thorchain/thornode/-/merge_requests/1804

UPDATE 0.60.0

1. [BUG] Allow ERC20 token to spend more than MaxGas. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1809 2)
2. [ADD] remove blacklist hacker addresses. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1810 3)
3. [ADD] update the contract used in mocknet test. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1812 4)
4. [BUG] Fix ETH chain attack. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1815
5. https://gitlab.com/thorchain/thornode/-/merge_requests/1812 4) [BUG] Fix ETH chain attack. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1815

UPDATE 0.60.1

1. [ADD] Stop all outbound transaction on ETH chain. PR: https://gitlab.com/thorchain/thornode/-/merge_requests/1817

Community Work

Dragons Dex Weekly Update (12 July — 18 July)

- Extended xchain-dart with the utility to identify some chains by reading a crypto address
- Dragons’ Eye test app implements xchain-dart for recognizing scanned QR-codes

Xchain.net Weekly Update (7/12–7/19):

- Added Msg models
- Implement GetTxFromHistory , GetFee , GetTransactions , SearchTxFromRPC Methods
- Added Fee models , RPC request / response models , search Tx models
- fix some typo and serialization issues

block42 Weekly Dev Report

• Implemented minting/redeeming from/to L1 assets (currently tested internally).
• Constantly implementing feedback from the community.
• Started working on a landing page for Brokkr.
• You can follow brokkr updates here: Twitter: @Brokkrfinance Telegram channel: https://t.me/brokkrfinance

https://brokkr.finance/#/

THORmon

THORmon Update
- Drop single chain legacy support
- Add age column
- Use precise durations
- Churn clock: Condense and improve precision
- Add churn indicators to nodes
- Refactorings and dependency updates
- Add more detailed information about network and churn
Help window:
Last Churn Height
Block Height
Next Churn Height
Network Age
- Restore selected nodes upon network data structure refresh

Backend
- Scale up

https://thorchain.network/

THORChain Monitoring bot

• Activated the new ILP formula
  - Added new notification types:
   — New protocol version detected
   — Protocol version upgrade progress
   — Protocol version upgrade finished
  - Fixed dependency inconsistency

Runiverse — Working on Pool objects (added vert/frag shaders)

GrassRoots Crypto Update

Uupcoming videos
- THORFI Synths Part 4 — iRune A Liquidity Pool Example looking at Asym vs Sym, IL and ILP — Part 1 Overview with Graphics — Part 2 Deep dive with Spreadsheet How to access THORFI Synths — THORSwap — Brokkr Finance

https://www.youtube.com/c/GrassRootsCrypto/

THORBelt Weekly Dev Report (June 28 to July 6)

— Started working on support for Ledger wallets — Still working on a fix to make deposit transactions with synth assets work in xchainjs/xdefi

— Week 6 — THORWallet Update —

App & Blockchain — Apple accepting First Testflight Beta Version with the following features: — Onboarding finalized with async storage and keychain — Creating new wallet — Importing existing wallet — See funds of main and testnet — See funds balance in USD (calculated with THORChain pool price -> Midgard integrated) — Receive funds with copy address or displaying QR code — Tested “Send funds” functionality on main and testnet — Switching from testnet to mainnet — See transactions of all funds — Refresh controls for blockchain assets — Drawer with social links and app version / build number — Apple App Store listing process partially completed — Performance improvements in general and when loading assets — Debugging and pull request to XChainjs

Business / Legal — Open official THORWallet channel on telegram: https://t.me/THORWalletOfficial — Launch THORWallet website: https://thorwallet.org/ — Legal and funding activities

What’s next — First improvements from feedback round — sending by scanning QR code — show ERC20 transactions correctly — pending transactions handling — fee estimation — show price history in dashboard

https://thorwallet.org/

ASGARDEX Weekly Update (6/28–7/4)

— validation to guard against interacting with non “available” pools — explorer fixed bugs to handle synth assets — explorer added Constants tab to network, to display constants and MIMIR values — ongoing synth support work

Ledger

ledger-thorchain npm published https://www.npmjs.com/package/@thorchain/ledger-thorchain

SKIPexchange Weekly Update (6/28–7/4):

— UX designs for desktop and mobile are finished — add Midgard guard for disabling swap/deposit/withdraw when Midgard is not responding — added Midgard health check — tx queue guard for deposit/withdraw

https://app.skip.exchange/swap

Xchain.net Weekly Update (6/28–7/4):

— project init — Xchain.net.Thorchain started — Xchain.net.Thorchain models , xchain.net.cosmos models , Xchain.net.Client Base Object and models added — added Xchain.net.Crypto — publicKey , PrivateKey objects , Secp256k1 , RIPEMD160 algos added — Address , AccAddress models added — bech32 , BIP39 Management added — Some of Xchain.net.Client , Xhcain.net.Thorchain Functions Implemented(Balances , URLs , Validations , …)

https://github.com/SLjavad/xchain.net

Bridges

How to bridge to THORChain? This is a serious undertaking, a dev should be sponsored for 6–12 months:

1. Read https://gitlab.com/thorchain/thornode/-/blob/develop/docs/newchain.md and https://docs.thorchain.org/chain-clients/overview
2. Implement the Chain Client https://gitlab.com/thorchain/thornode/-/tree/develop/bifrost/pkg/chainclients
3. Add to Node Launcher https://gitlab.com/thorchain/devops/node-launcher
4. Add to XChainJs https://github.com/xchainjs/xchainjs-lib
5. Launch on Mocknet — demo to community
6. Launch on Testnet, stabilise. Must be run successfully for a few weeks with no issues.
7. Launch on Mainnet, stabilise
8. Maintain the chain client, be on deck for hard forks, client updates and more.

Deployed to MCCN

• Bitcoin: Deployed to chaosnet
• Ethereum: Deployed to chaosnet
• BitcoinCash: Deployed to chaosnet
• Litecoin: Deployed to chaosnet

UTXO Chains

• Dogecoin: Complete, will be activated after MCCN
• ZCash: Scoped, rain-checked
• Decred — Ongoing
• Dash — Ongoing

Cryptonote

• Haven: [paused due XHV bandwidth]
• Monero: Pending Haven implementation

Custom

• Cardano — Scoping
• Polkadot: [depends on THORNode ED25519]
• Avalanche: Scoped, WIP with team to investigate options
• Zilliqa: Scoped, rain-checked
• Solana: [depends on THORNode ED25519]

EVM Chains

• Binance Smart Chain: Likely after MCCN
• Ethereum Classic: Rain-checked
• Rootstock: Rain-checked
• Arbitrum: Rain-checked

IBC

A development partner has been found and will begin building IBC bridges.

Pending IBC integration — Cosmos, Terra, Kava, Secret Network, Injective Protocol, Sifchain, Akash Network.

Next Milestones

• Restabilise the ETH based tokens and the Protocol
• Security firms audits completed
• Ragnarok (Shutdown) SCCN
• THORChain Name Service
• RAISETHECAPS

Community

To keep up to date, please monitor community channels, particularly Telegram and Twitter:

• Twitter: https://twitter.com/thorchain_org
• Telegram Community: https://t.me/thorchain_org
• Telegram Announcements: https://t.me/thorchain
• Reddit: https://reddit.com/r/thorchain
• Gitlab (primary): https://gitlab.com/thorchain
• Github (secondary): https://github.com/thorchain
• Medium: https://medium.com/thorchain