thorchain-283THORChainTHORChain (RUNE), a decentralized cross-chain transaction protocol, said it was attacked again, and many ERC20 tokens including XRUNE were affected. Thorchain told CoinDesk a whitehat hacker deployed a custom contract that was able to trick its Bifrost Protocol into receiving a deposit of fake assets. Not long ago, THORChain updated Eth Bifrost to allow the routing contract to be "encapsulated" by the contract. The attacker uses this to send a transaction with msg.value = 200 ETH and immediately uses the contract to transfer it back to itself, while Bifrost will report msg. value = 200 instead of depositAmount = 0, so as to realize the profit of calling the routing contract with the amount of 0 ETH. The attack was very restrained eluding that the attacker may be a whitehat hacker.

Detail Analysis

< Back

THORChain

Submit Incident Report

Date:

Status:

Count:

Contributor:

July 23, 2021

Verified

zerofriction.io

Loss Amount:

8,000,000

Recovered Amount:

Currency:

Dollars, ALCX, XRUNE, USDC, SUSHI, YFI, USDT

KYC By:

Audit By:

None

Certik

Website:

https://thorchain.org/

Twitter:

https://twitter.com/thorchain

Discord:

https://discord.gg/KjPVnGy5jR

Telegram:

https://t.me/thorchain_org

Medium:

No data

Github:

https://github.com/thorchain

Key Indicators

Platform:

Type:

Category:

Method:

Thorchain

Protocol

Dexes

Contract Vulnerabilities

Extended Method:

Contract vulnerabilities

Data Sources:

https://www.coindesk.com/markets/2021/07/23/blockchain-protocol-thorchain-suffers-8m-hack/ https://rekt.news/thorchain-rekt2/

THORChain (RUNE), a decentralized cross-chain transaction protocol, said it was attacked again, and many ERC20 tokens including XRUNE were affected. Thorchain told CoinDesk a whitehat hacker deployed a custom contract that was able to trick its Bifrost Protocol into receiving a deposit of fake assets. Not long ago, THORChain updated Eth Bifrost to allow the routing contract to be "encapsulated" by the contract. The attacker uses this to send a transaction with msg.value = 200 ETH and immediately uses the contract to transfer it back to itself, while Bifrost will report msg. value = 200 instead of depositAmount = 0, so as to realize the profit of calling the routing contract with the amount of 0 ETH. The attack was very restrained eluding that the attacker may be a whitehat hacker.

DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.

Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.

< Back