Sep 13, 2021

3 min read

So you believe Thorchain is vulnerable … How Vulnerable?

This is the second article in our Thorchain series — in our first article we established that there are Hacks, and there are Believers: Believers want to be involved, want to support, and want to fiscally protect themselves from compromising events. We believe Pharo offers the best fiscal protection *small bias*, so if Thorchain is hacked again, while Believers will be set back, they can still participate going forward.

The question then becomes, for believers engaging with Thorchain: How do you estimate the time until the next hack?

There are a few ways to investigate vulnerabilities in DeFi protocols, or any system really, as they all share a common theme: Investigating is an active behavior, not a result of passive observance from the sideline. The three best ways to establish an opinion in advance of taking a position are:

  1. Consider the Source,
  2. Consider the Market,
  3. Consider the Product/Code

1. Consider the Source

In other words, Follow the Founders.

This will give you insight into the founders, the team, and attitudes towards code, security, and strategy. Knowing the founders, the team, their pedigree, and their approach to business — DeFi or otherwise — can help one determine the level of professionalism and seriousness with which they are operating a business. Subsequently this will impact how you form your opinion of the chain or protocol with regards to possible hacks or malicious events.

2. Consider the Market

One approach, Dive into Discord.

You will need to sort through the “wen moon” comments and repetitive noob questions, however the significance of the real information you are able to uncover cannot be overstated. Every referential blog, tweet, mention or other comment is second hand information, the best and most real time information will be found in the discord channels. Low activity in a security or support channel may indicate that it is not a priority for the developers which can impact your opinion about the possibility of a hack or malicious event. Most of all, if direct questions to founders and admins aren’t well answered, that’s a red flag.

3. Consider the Product/Code

In other words, be the hacker.

This is not an option for everyone, even if you can read code with your morning coffee, it is a time and energy intensive. However, for those with the education, time, and patience to analyze the code, we strongly recommend that you do. Forks of existing chains or protocols that have been hacked may exhibit the same behavior in the future, if gaps or defects have not been addressed. Interacting with the protocol using your own tools or existing tools can reveal details about the possibility of a hack or malicious event.

This is not an exhaustive list by any means, as DeFi evolves so too will the approaches and tools to investigate technical stability and build confidence. Audits are becoming increasingly popular, though they too are not without risk. Does the auditing group have the latest hacks considered for example? Alternatively have the developers addressed any risks identified in a previous audit? Perhaps the audit reveals that the founders and development group are actually building something different than what has been communicated. This may not indicate hack potential but it may indicate something else nefarious is at play that can have an adverse affect or even crippling impact on token price.

Also consider the market metrics and perspective when considering a chain or protocol’s risk — it may be a big fat juicy target or may not be worth the time invested at all. If the total value locked is high and the token price is high and the volume of trades are high and you are concerned about the security because you have not seen any discussion of it in discord, then you may have identified a great candidate for a Pharo market.

All of these factors must be considered when you are determining the rate of occurrence or when the next malicious event will occur. In the case of Thorchain, you may believe that the next hack will happen within 3 months, you may believe between 3 and 6 or maybe even more than a year.

Whatever your belief, you can play the Pharo Market to buy coverage or provide liquidity, and the closer your opinion is to the truth the more lucrative the gains will be.