The Thesis team cited a bug, but is not disclosing details until all funds have been safely withdrawn from this iteration of tBTC. Thesis is now helping early users withdraw any BTC that had been deposited.
The project lead behind the new system, Thesis CEO Matt Luongo, sent the following statement to CoinDesk via a spokesperson:
"While the tBTC dapp was being tested over the weekend in its alpha version, a couple of community members put a few BTC into the contract before testing had concluded. Meanwhile, an issue in the dapp that was missed by our security audit was found by two of our contributors, and we decided to pause deposits for now to ensure the safety of funds. It is thanks to the strength and engagement of our community that this was identified quickly and all funds are safe."
Luongo said the priority now was to further enhance the security of the system before announcing a timeline to re-deploy it. A new audit is being conducted by Trail of Bits; another auditor will also be enlisted and its bug bounty has been increased tenfold.
Luongo first announced that tBTC had been paused at 5:58 UTC on Monday. It had been live for two days. He credited a member of the Thesis team for finding the flaw, and Summa’s James Prestwich for verifying it.
Luongo wrote later in the Twitter thread, “Because the system is young and most minters are active community members, I think we can get this done in 1 to 2 days. Though we fixed the issue in code last night, we don’t want to expose it until all funds are drained.”
Prestwich declined to comment. Luongo wrote on Twitter that a full post-mortem is forthcoming. A Thesis spokesperson told CoinDesk this will likely be released tomorrow.
The security model for tBTC is described in its documentation. It delineates four things Thesis can do with its key to the smart contract. Among those, it can pause new deposits one time for 10 days. This is how Thesis stopped deposits Monday, but the option can only be used once.
That documentation also says, “The first version of tBTC has been built without any ability to upgrade contracts.” The Thesis team has not confirmed that it will deploy a whole new smart contract.