Authors: Lyndon & Lisa
Editor: Liz
Background
On February 21, 2025, cryptocurrency exchange Bybit suffered a massive hack, resulting in a staggering $1.46 billion loss — one of the most severe attacks on an exchange in history. On-chain analysis revealed that the hacker primarily laundered the stolen funds by swapping ETH for BTC through THORChain. Rumors suggested that within just a few days, the hacker’s laundering activities generated $2.91 billion in trading volume on THORChain, earning the protocol $3 million in fees.
Bybit’s co-founder and CEO, Ben Zhou, confirmed on March 4 that the hacker had swapped a total of 361,255 ETH (approximately $900 million) through THORChain, accounting for 72% of the stolen funds.
This incident has once again brought decentralized cross-chain bridges into the spotlight. In this article, we will explore how THORChain operates, its core components, security mechanisms, and how to track addresses after assets are bridged through THORChain.
What is THORChain?
THORChain is a decentralized cross-chain liquidity network built using the Cosmos SDK. It operates as a Layer 1 cross-chain decentralized exchange (DEX), enabling users to swap assets across different blockchains in a non-custodial manner without relying on third parties.
How It Works
Suppose Alice wants to swap ETH for BTC. The process on THORChain works as follows:
User Initiates a Cross-Chain Transaction
Alice sends ETH to the THORChain ETH Vault. The transaction is detected by THORChain, triggering the swap logic.
Cross-Chain Transaction Execution
THORChain processes the ETH transaction through Bifrost and calculates the BTC price. The automated market maker (AMM) mechanism determines the exchange rate and how much BTC Alice will receive.
Asset Release on the Target Chain
Using the threshold signature scheme (TSS), THORChain signs a transaction on the BTC network and sends BTC to Alice’s specified address.
The entire process is fully decentralized and requires no third party.
Core Components
RUNE Token and Economic Model
RUNE is THORChain’s native token, primarily used for providing liquidity, securing the network, governance, and incentivizing participants. THORChain employs a continuous liquidity pool (CLP) fee model, where transaction fees are dynamically adjusted based on slippage and liquidity demand. This RUNE-based pairing mechanism is a key element of THORChain’s AMM design.
Cross-Chain Interoperability Mechanism (Bifrost, TSS, and Vaults)
Each node operates a “Bifrost” service, which handles blockchain-specific interactions. Once nodes are synchronized, they monitor vault addresses. When an inbound transaction is detected, it is parsed and converted into a THORChain witness transaction. The state machine finalizes transactions and executes logic such as ordering, computing state changes, and delegating them to specific vaults. Then, an outbound transaction is generated and stored in key-value storage. Once finalized, signers load the transaction from their local copy, serialize it into the correct format for the target blockchain using the respective chain client, and send it to the TSS module for coordinated key signing. The final signed transaction is then broadcasted to the target chain.
Cosmos and CosmWasm
As THORChain is built on the Cosmos SDK, it benefits from the flexibility and efficiency of the Cosmos ecosystem while addressing certain issues, such as multi-asset representation, node software vulnerabilities, and wallet address incompatibilities. THORChain also supports CosmWasm smart contracts through the x/wasm module, which executes contracts ending in .rs. Developers deploy these contracts following a biweekly upgrade cycle. They are first tested on the testnet before being deployed to the mainnet after verification.
Security Mechanisms
Node Incentives and Penalties
Each THORChain node must stake RUNE as collateral to ensure network security. If a node engages in malicious behavior or is compromised, its staked assets may be slashed as a deterrent and risk-sharing measure. The system has built-in automated detection and penalty mechanisms that immediately enforce sanctions upon detecting malicious activity, ensuring the network remains secure and stable.
Smart Contracts and Multi-Signature Mechanisms
Smart contracts manage assets and execute cross-chain operations in an automated and tamper-proof manner. To mitigate single points of failure and centralization risks, multi-signature mechanisms play a crucial role in unlocking and transferring cross-chain assets, ensuring that all transactions are verified by multiple nodes.
Continuous Audits and Upgrades
The development team and community regularly conduct security audits on the protocol and smart contracts to identify and fix vulnerabilities. As new security threats and technological challenges emerge, the network undergoes continuous upgrades and optimizations to adapt to the evolving blockchain landscape.
How to Track Cross-Chain Transactions on THORChain?
Using the Bybit hacker’s intermediary address 0x8ab1d1d3e7db399835172576cce0bd1c200a1ce8 as an example, the hacker transferred received funds through THORChain, which were then moved to a BTC address.
Several methods can be used to trace the hacker’s transactions after crossing chains via THORChain:
Cross-Chain Bridge Explorer
The simplest and most direct way is to check whether the cross-chain bridge has an explorer. By entering the transaction hash in the explorer, one can clearly see the transferred assets, amount, and receiving address.
Blockchain Explorers
If the cross-chain bridge does not have a dedicated explorer, blockchain explorers such as Etherscan can be used. Select UTF-8 format for Input Data to reveal encoded transaction details.
Alternatively, clicking Decode Input Data can provide the parsed receiving address.
Logs can also be examined for additional details on the transaction.
MistTrack Analysis
SlowMist’s MistTrack (https://misttrack.io/) supports cross-chain transaction parsing. In the Standard Plan, right-click “THORChain” and select “Cross-chain Parsing” to view the converted assets and receiving addresses.
Clicking on the parsed address will directly open its details page.
MistTrack currently supports cross-chain tracking for Bridgersxyz, TransitFinance, StargateFinance, AcrossProtocol, and deBridgeFinance, with plans to add more bridges in the future.
Conclusion
As a permissionless cross-chain liquidity protocol, THORChain provides an efficient and secure way to swap and transfer assets. However, it can also be exploited by hackers for money laundering, highlighting the double-edged nature of decentralized cross-chain transactions.
THORChain is just one example. Finding the balance between decentralization, privacy, and security compliance remains a major challenge in the crypto ecosystem.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
