Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The authors of this post, who have an automated tool, found two bugs in it. This article describes those bugs and the fallout of them.

Cosmos SDK has a pipeline for interacting with transactions before the state logic called ante handlers. In the case of Thorchain, they used it to enforce application-specific rules about which message types were allowed. The authZ module MsgExec allows for a layer of misdirection where the message is valid, but wraps other messages. This can be used to circumvent checks, if you're not careful.

The message MsgModifyLimitSwap is explicitly missing from the whitelist of allowed messages. This is because it's intended to be an internal message. By wrapping a MsgModifyLimitSwap within a MsgExec, the whitelist is effectively skipped. The handlers donateToPoll() function then credits arbitrary amounts to pool balances, even though the funds don't exist. This attack can be used to drain all funds from all pools at once.

The second bug was an accounting issue. Thorchain has memos in TXs on other chains to route how operations should be performed. The handler works as follows:

1. Parse the top-level memo.
2. Choose the targetModule based on the memo type. This defaults to Asgard.
3. Send funds from the signer to the module.
4. If it's a reference-read (TxReferenceReadMemo resolve the reference and reparse the memo.

The problem with this flow is that the operation could be done on a location where the funds weren't spent. TxReferenceReadMemo is handled after the transfer. The funds sit in Asgard, even though the balance is thought to have been transferred to the correct module. This breaks the module-balance vs. protocol-state correspondence invariant.

Both of these bugs were discovered on January 9th, 2026 and took about three weeks to fix. Given the severity of the first bug, I'm surprised it took this long to fix. Good article on explaining not only the bug but the internals of Thorchain too.