Analysis of the Tsuru Exploit

4 min read

Learn how Tsuru was exploited, resulting in a loss of 137.78 ETH which is worth $410,000.


On May 10, 2024, Tsuru was exploited on the Base chain due to a smart contract vulnerability, which resulted in a loss of 137.78 ETH, which was worth approximately $410,000.

Introduction to Tsuru#

Tsuru is the original character created by a supposed Japanese illustrator, Tsurushima Tatsumi.

Vulnerability Assessment#

The root cause of the exploit is a lack of regulated access control.


Step 1:

We attempt to analyse the attack transaction executed by the exploiter.

Step 2:

The exploited TSURUWrapper contract had a vulnerable onERC1155Received function that lacked proper authentication and enough access control.

function onERC1155Received(address, address from, uint256 id, uint256 amount, bytes calldata) external override nonReentrant returns (bytes4) {
  require(id == tokenID, "Token ID does not match");

  if (msg.sender == address(erc1155Contract)) {
    return this.onERC1155Received.selector;

  _safeMint(from, amount * ERC1155_RATIO); // Adjust minting based on the ERC1155_RATIO
  return this.onERC1155Received.selector;

Step 3:

As long as the id or tokenID parameter in this function corresponds to the ID of the project, it would allow anyone to mint the TSURU token and later swap it for ETH in the Uniswap Liquidity pool.

Step 4:

This exploiter on the Base chain swapped the stolen 167 million Tsuru for 137.78 ETH, which were worth approximately $410,000, and then bridged it to this address on the Ethereum Mainnet. This address on the Ethereum Mainnet also received 40.95 ETH worth of assets from an old incident that traces back to the incident involving Perpy Finance.

Step 5:

The project was hacked roughly two hours after its deployment, and at the time of this writing, the address of the exploiter on the Ethereum Mainnet has a hold of 179.68 ETH, which is worth approximately $516,129.


The team acknowledged the occurrence of the exploit and has also shared the detailed post-mortem report regarding the incident.


To address the vulnerabilities exploited in the Tsuru smart contract, a multi-faceted approach focused on strengthening security protocols, improving contract design, and enhancing monitoring systems is essential. Firstly, introducing rigorous access control measures in smart contracts is critical. For the Tsuru case, specifically ensuring that the `onERC1155Received` function includes authentication checks to verify not only the contract addresses interacting but also the roles of the interacting accounts would prevent unauthorized access. This could be implemented by incorporating a modifier that checks if the caller is from a list of addresses pre-approved by the contract owner or holds a specific role defined within the contract's governance framework.

Additionally, enhancing the contract's logic to handle unexpected inputs more safely is necessary. For instance, implementing checks that validate the state changes within the contract before and after executing critical functions could help. This ensures that even if an unauthorized party were to call a function, they would not be able to cause state changes that could lead to asset theft or other undesired outcomes.

Improving the testing and deployment procedures is another crucial step. Before deployment, the contract should undergo thorough testing, including both automated tests and manual peer reviews. Utilizing testnets to simulate real-world usage and attacks can help uncover vulnerabilities that might not be evident in isolated tests. Furthermore, engaging external auditors to conduct security audits and offering bug bounty programs can incentivize the discovery and resolution of security flaws before they can be exploited maliciously.

Despite implementing the most stringent security measures, the potential for unforeseen vulnerabilities remains a constant risk. This inherent unpredictability underscores the importance of robust protective measures, such as those offered by Neptune Mutual. If the Tsuru team had collaborated with us to establish a dedicated cover pool beforehand, the financial impact of the exploit could have been significantly reduced. Our cover pools serve as financial safety nets, providing users with a mechanism to recover from potential economic setbacks resulting from smart contract vulnerabilities.

By partnering with Neptune Mutual, users are relieved from the often complex task of providing extensive proof of their financial losses. Once an incident is verified and resolved through our incident management framework, our primary focus shifts to the rapid processing and payment of claims. This approach ensures that affected parties receive timely financial support.

Operating across multiple blockchain networks, including Ethereum, Arbitrum, and the BNB chain, we are dedicated to offering our protective services to a wide array of DeFi enthusiasts. Our unwavering commitment to user safety fosters trust in the DeFi sector, especially in the wake of significant security breaches like the Tsuru exploit.

Reference Source Cyvers