Bug Forces Shutdown of Bitcoin-Backed Ethereum Token tBTC

Blockchain venture studio Thesis has put a pause on deposits into tBTC, its new platform meant to put BTC on Ethereum so BTC can be used in decentralized finance (DeFi).

The Thesis team cited a bug, but is not disclosing details until all funds have been safely withdrawn from this iteration of tBTC. Thesis is now helping early users withdraw any BTC that had been deposited.

The project lead behind the new system, Thesis CEO Matt Luongo, sent the following statement to CoinDesk via a spokesperson:

"While the tBTC dapp was being tested over the weekend in its alpha version, a couple of community members put a few BTC into the contract before testing had concluded. Meanwhile, an issue in the dapp that was missed by our security audit was found by two of our contributors, and we decided to pause deposits for now to ensure the safety of funds. It is thanks to the strength and engagement of our community that this was identified quickly and all funds are safe."

Luongo said the priority now was to further enhance the security of the system before announcing a timeline to re-deploy it. A new audit is being conducted by Trail of Bits; another auditor will also be enlisted and its bug bounty has been increased tenfold.

Luongo first announced that tBTC had been paused at 5:58 UTC on Monday. It had been live for two days. He credited a member of the Thesis team for finding the flaw, and Summa's James Prestwich for verifying it.

Luongo wrote later in the Twitter thread, "Because the system is young and most minters are active community members, I think we can get this done in 1 to 2 days. Though we fixed the issue in code last night, we don't want to expose it until all funds are drained."

Prestwich declined to comment. Luongo wrote on Twitter that a full post-mortem is forthcoming. A Thesis spokesperson told CoinDesk this will likely be released tomorrow.

Thesis has taken down the tBTC dapp to make the smart contract less accessible. As of this writing, Etherscan shows 7 tBTC minted, of a max of 11 BTC.

The security model for tBTC is described in its documentation. It delineates four things Thesis can do with its key to the smart contract. Among those, it can pause new deposits one time for 10 days. This is how Thesis stopped deposits Monday, but the option can only be used once.

That documentation also says, "The first version of tBTC has been built without any ability to upgrade contracts." The Thesis team has not confirmed that it will deploy a whole new smart contract.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Brady Dale

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.