Ethereum Classic 51% Attacks
Learn about how the multiple 51% attacks were carried out on Ethereum Classic on 2019.
Playing the video that you've selected below in an iframe
How was Thoreum Finance exploited as a result of a smart contract vulnerability?
On January 19, 2023, Thoreum Finance was hacked as a result of smart contract vulnerability, causing the protocol to lose approximately 2260 BNB worth $580,000.
Thoreum Finance is a liquidity mining platform offering static rewards.
The vulnerability is caused by an incorrect implementation of the transfer function in their contract, in which if a wallet sent funds to itself, the amount of tokens in the wallet would be increased by as much as the sent amount.
The attacker deposited BNB in order to obtain $WBNB tokens, utilized a function of the contract to mint $THOREUM tokens, swapped everything on BiSwap, and finally transferred the tokens to themselves.
When this exploiter-deployed contract performed a transfer call to itself, its balance grew as a result of the the vulnerable logic in the transfer function.
This procedure was repeated several times after which the contract held more than 500,000 $THOREUM tokens.
In the same transaction, all of the obtained $THOREUM tokens were converted to $WBNB tokens and sent to this address.
Later, that address transferred about 2250 $BNB tokens to Tornado Cash.
The team later published a detailed post-mortem report of the incident.
It is recommended to use hardware wallets to store private keys offline in order to limit such attacks to a larger extent. Using multi-signature wallets can also give an extra layer of security. A cold storage method, which involves storing the private keys on a machine that is not connected to the internet, can also be favored, making them less vulnerable to probable phishing attacks.
A team should also perform multiple security audit of their protocol to ensure that all the potential vulnerabilities are identified, and addressed in attempts to further secure the protocol.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if Thoreum Finance had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase our parametric cover policy do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source Ancilia