Thala protocol resumes operations after $25.5m exploit

Decentralized finance company Thala has resumed operations a day after the protocol’s liquidity pools were tapped for approximately $25.5 million.

In a Nov. 17 post, Thala informed users that all of its offerings had been restored except for the staking service, which was “being patched and audited.”

The announcement comes a day after the protocol said it was the victim of a security breach on November 15 that allowed a bad actor to withdraw a large amount of liquidity tokens. Reportedly, the isolated issue was caused by the protocol’s v1 farming contracts, where a security vulnerability emerged after the recent update.

According to Thala, all services were suspended immediately after the breach was flagged, and the protocol managed to freeze $11.5 million worth of Thala-related assets, including the protocol’s native THL token and Move Dollar (MOD).

This was made possible thanks to the Move programming language, which forms the basis of the Aptos blockchain that Thala runs on. Move treats digital assets as first-class resources and includes native functions such as freezing and writing.

To recover the remaining funds, Thala worked with law enforcement to track down the hacker behind the incident, along with SEAL 911, a group of DeFi security experts, and on-chain investigator Ogle. The hacker agreed to return all user assets in exchange for a $300,000 reward.

Thala assured users that all positions would be made “100% whole” and no action would be required.

The total value currently locked in Thala has dropped from $234 million to $196 million, while THL has fallen over 31% since the incident.

This is one of many attacks targeting decentralized protocols in recent months. On October 16, DeFi lender Radiant Capital was stripped of nearly $50 million after attackers exploited a backdoor contract.

In a September incident, staking protocol Bedrock lost an estimated $2 million in digital assets due to a bug that allowed cyber thieves to withdraw funds from the protocol’s liquidity pools.

Approximately $88.4 million was lost due to crypto attacks in October, according to blockchain security firm PeckSheild, while total on-chain losses rose to $181 million.