3 min read

Thoreum Finance Smart Contract Vulnerability

How was Thoreum Finance exploited as a result of a smart contract vulnerability?

how-was-thoreum-finance-exploited

TL;DR#

On January 19, 2023, Thoreum Finance was hacked as a result of smart contract vulnerability, causing the protocol to lose approximately 2260 BNB worth $580,000.

Introduction to Thoreum Finance#

Thoreum Finance is a liquidity mining platform offering static rewards.

Vulnerability Assessment#

The vulnerability is caused by an incorrect implementation of the transfer function in their contract, in which if a wallet sent funds to itself, the amount of tokens in the wallet would be increased by as much as the sent amount.

Steps#

Step 1:

We took a closer look at one of the attack transactions executed by the exploiter.

Step 2:

It is speculated that the deployer key was compromised, allowing the exploiter to deploy a new contract, before upgrading the proxy contract to the malicious contract.

Step 3:

The attacker deposited BNB in order to obtain $WBNB tokens, utilized a function of the contract to mint $THOREUM tokens, swapped everything on BiSwap, and finally transferred the tokens to themselves.

thoreum-exploiter-transaction-details

Step 4:

When this exploiter-deployed contract performed a transfer call to itself, its balance grew as a result of the the vulnerable logic in the transfer function.

Step 5:

This procedure was repeated several times after which the contract held more than 500,000 $THOREUM tokens.

Step 6:

In the same transaction, all of the obtained $THOREUM tokens were converted to $WBNB tokens and sent to this address.

Step 7:

Later, that address transferred about 2250 $BNB tokens to Tornado Cash.

thoreum-exploiter-transfer-to-tornado-cash

Aftermath#

The team had a planned upgrade to their V4 version. During this, they notified their users on Twitter that the V4 of their upgrade is under maintenance due to certain errors.

They had temporarily halted trading in order to investigate and fix the issue, after which trading resumed as usual.

The team later published a detailed post-mortem report of the incident.

Solution#

It is recommended to use hardware wallets to store private keys offline in order to limit such attacks to a larger extent. Using multi-signature wallets can also give an extra layer of security. A cold storage method, which involves storing the private keys on a machine that is not connected to the internet, can also be favored, making them less vulnerable to probable phishing attacks.

A team should also perform multiple security audit of their protocol to ensure that all the potential vulnerabilities are identified, and addressed in attempts to further secure the protocol.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if Thoreum Finance had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase our parametric cover policy do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Source Ancilia

By