Author: Lyndon & Lisa
Editor: Liz
Background
On February 21, 2025, the cryptocurrency exchange Bybit suffered a massive hacking attack, with a total amount of stolen funds reaching $1.46 billion, becoming one of the most severe attacks on exchanges in history. According to on-chain analysis, the hackers' primary money laundering method was to exchange ETH for BTC through THORChain. It is rumored that within just a few days, the hackers' money laundering activities brought THORChain $2.91 billion in trading volume and $3 million in fee income. Ben Zhou, co-founder and CEO of Bybit, confirmed on March 4 that the hackers exchanged a total of 361,255 ETH (approximately $900 million) through THORChain, accounting for 72% of the stolen funds.
This incident has once again drawn attention to decentralized cross-chain bridges. This article will explore how THORChain operates, its core components, security mechanisms, and how to analyze the addresses obtained after crossing chains through THORChain.
What is THORChain?
THORChain is a decentralized cross-chain liquidity network built using the Cosmos SDK, operating as a first-layer decentralized exchange (DEX) that allows users to exchange assets across different blockchains in a non-custodial manner without trusting a third party.
Operation Method
(https://docs.thorchain.org/technology/bifrost-tss-and-vaults)
Assuming Alice wants to exchange ETH for BTC, the workflow of THORChain is as follows:
User-initiated cross-chain transaction: Alice sends ETH to the THORChain ETH Vault, and the transaction is detected by THORChain, triggering the exchange logic.
Cross-chain transaction execution: THORChain parses the ETH transaction through Bifrost and calculates the BTC price. The AMM mechanism calculates the exchange ratio and determines how much BTC Alice will receive.
Target chain asset release: THORChain uses the TSS (Threshold Signature) mechanism to sign transactions on the BTC network, sending BTC to the address specified by Alice.
The entire process is completely decentralized, without the need for a third party.
Core Components
RUNE token and economic model: RUNE is THORChain's native token, primarily used for providing liquidity, ensuring security, managing governance, and offering a reward mechanism. THORChain adopts a slippage-based fee model (CLP), where transaction fees are linked to transaction slippage and are dynamically adjusted based on liquidity demand for trading pairs (paired with RUNE), making it one of the core designs of THORChain's unique automated market maker (AMM).
(https://docs.thorchain.org/thorchain-finance/continuous-liquidity-pools)
Cross-chain interoperability mechanism (Bifrost, TSS, and Vaults): Each node has a 'Bifrost' service to handle the nuances of connecting to each chain. After nodes synchronize, they monitor the vault address. If they see incoming transactions, they read and convert them into THORChain witness transactions. The state machine processes finalized transactions and executes corresponding logic, such as sorting transactions, calculating state changes, and delegating them to specific vault exits. Then, an outgoing transaction is created and stored in Key-Value storage. Once the final transaction is created, signers load it from their local copies and serialize it into the correct transaction for the target chain using the corresponding chain client before sending it to the TSS module for coordinated key signing. The finalized signed transaction is then broadcast to the respective chain.
(https://docs.thorchain.org/technology/bifrost-tss-and-vaults)
Cosmos and CosmWasm: Because THORChain is built on the Cosmos SDK, it inherits the advantages of flexibility and convenience from the Cosmos ecosystem while also addressing some issues on Cosmos: for example, multi-asset representation issues, node software defects, wallet address compatibility issues, etc. THORChain also supports CosmWasm contracts, where the module called x/wasm executes contracts ending in .rs automatically. Developers will deploy these contracts according to a bi-weekly upgrade cycle. They will first be tested on the testnet and then deployed to the mainnet after a period of verification.
Security Mechanism
Node incentive and penalty mechanism: Each THORChain node needs to stake RUNE as a guarantee for network security. If a node violates rules or is attacked, the staked assets will be subject to deduction, serving as a deterrent and risk-sharing mechanism. The system has built-in automated detection and penalty mechanisms, which immediately execute penalties upon discovering malicious behavior to ensure the healthy operation of the entire network.
Smart contracts and multi-signature mechanisms: Asset management and scheduling are implemented through smart contracts, ensuring the automatic execution and immutability of cross-chain operations. To prevent single points of failure or centralization risks, the multi-signature mechanism plays a key role in the unlocking and transfer of cross-chain assets, ensuring that each link of the transaction is confirmed by multiple nodes.
Continuous auditing and upgrading: The development team and community regularly conduct security audits on the protocol and contracts to timely discover and fix vulnerabilities. In the face of emerging security threats and technical challenges, the network continuously upgrades and optimizes the protocol to adapt to the ever-changing blockchain ecosystem.
How to track THORChain cross-chain?
Taking the intermediary address 0x8ab1d1d3e7db399835172576cce0bd1c200a1ce8 of the Bybit event hacker as an example, this address receives funds through THORChain cross-chain, flowing to the BTC address:
There are several ways to obtain the information after the hacker crosses chains through THORChain:
Cross-chain bridge Explorer: The simplest and most direct way is to search for whether the cross-chain bridge has an Explorer. By entering the hash of the cross-chain transaction in the Explorer, you can clearly see the currency, amount, and receiving address after the cross-chain.
(https://thorchain.net/tx/0x16ed29f9bf9914ea3b62e4e94829eaef10118d04e82849a285ef8a5700defa1a)
Blockchain Explorer: If the cross-chain bridge does not have a related Explorer, blockchain explorers like Etherscan can also be used. Choose to display Input Data in UTF-8 format:
Or obtain the parsed address by clicking on Decode Input Data:
You can also view through Logs:
MistTrack: The anti-money laundering tracking and analysis system MistTrack (https://misttrack.io/) under SlowMist has supported cross-chain parsing functionality. By clicking on the original article link at the end of the text, you can jump directly to the MistTrack official website. In the Standard plan, right-click on 'THORChain', select 'Cross-chain Parsing' to see the exchanged assets and receiving address:
At the same time, by clicking on the parsed address, you can directly access the details page of the receiving address.
Besides THORChain, MistTrack currently also supports parsing Bridgersxyz, TransitFinance, StargateFinance, AcrossProtocol, and deBridgeFinance, and will support more cross-chain bridges in the future.
Summary
As a permissionless cross-chain liquidity protocol, THORChain, while providing efficient and secure asset exchange and transfer methods, can also easily become a tool for hackers to launder funds, highlighting the 'double-edged sword' nature of decentralized cross-chain solutions. THORChain is just one example; finding a balance between decentralization, privacy protection, and security compliance has become an important challenge facing the crypto ecosystem.
