Bug Forces Shutdown of Bitcoin-Backed Ethereum Token tBTC
Thesis has put a pause on deposits into tBTC, its new platform meant to get bitcoin into Ethereum's decentralized finance (DeFi) ecosystem.
The Thesis team cited a bug, but is not disclosing details until all funds have been safely withdrawn from this iteration of tBTC. Thesis is now helping early users withdraw any BTC that had been deposited.
The project lead behind the new system, Thesis CEO Matt Luongo, sent the following statement to CoinDesk via a spokesperson:
Luongo said the priority now was to further enhance the security of the system before announcing a timeline to re-deploy it. A new audit is being conducted by Trail of Bits; another auditor will also be enlisted and its bug bounty has been increased tenfold.
Luongo first announced that tBTC had been paused at 5:58 UTC on Monday. It had been live for two days. He credited a member of the Thesis team for finding the flaw, and Summa's James Prestwich for verifying it.
Luongo wrote later in the Twitter thread, "Because the system is young and most minters are active community members, I think we can get this done in 1 to 2 days. Though we fixed the issue in code last night, we don't want to expose it until all funds are drained."
Prestwich declined to comment. Luongo wrote on Twitter that a full post-mortem is forthcoming. A Thesis spokesperson told CoinDesk this will likely be released tomorrow.
Thesis has taken down the tBTC dapp to make the smart contract less accessible. As of this writing, Etherscan shows 7 tBTC minted, of a max of 11 BTC.
STORY CONTINUES BELOW
The security model for tBTC is described in its documentation. It delineates four things Thesis can do with its key to the smart contract. Among those, it can pause new deposits one time for 10 days. This is how Thesis stopped deposits Monday, but the option can only be used once.
That documentation also says, "The first version of tBTC has been built without any ability to upgrade contracts." The Thesis team has not confirmed that it will deploy a whole new smart contract.