Blogs

Incident Analysis

Post Mortem: Thoreum Finance

1/8/2024

Project name: Thoreum Finance (Jan 19th)

Project type: Token

Date of exploit: Jan 18th, 2023

Asset loss: Around 2,260 WBNB

Vulnerability: Logic issue

Date of audit report publishing: Jul 1st, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Thoreum Finance is a DeFi project providing multiple services such as liquidity mining to its users. Its token contract was upgraded to v4 on Jan 18 and got hacked after the upgrade.

Nature of the Vulnerability

The new implementation of Thoreum is unverified, but the _transfer() function is likely flawed when from == to. The sender's balance increases as much as the sent amount.

CertiK Audit Overview

Screenshot 2024-01-11 at 8.31.38 PM

Conclusion

On Jan 18, 2023, Thoreum Finance's token contract v4 was exploited, leading to a loss of around 2,260 WBNB. The attacker took advantage of the flawed implementation in the token contract's transfer function and manipulated its balance.

Based on the announcement from Thoreum team, the vulnerability was raised in the newly updated contract(unverified) deployed on Jan 18th, 2023.

References

Thoreum Finance's announcement

Related Stories

Blogs

Incident Analysis

Prisma Finance Incident Analysis

On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.

3/29/2024

Blogs

Incident Analysis

Post Mortem: Hector Network

In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.

1/17/2024