According to Slow Fog, on June 29, 2021, THORChain, a decentralized cross-chain transaction protocol, tweeted that a malicious attack against THORChain was found, and THORChain nodes have reacted and isolated and defended. The Slow Fog security team was the first to intervene and found that this was a “fake top-up” attack on the cross-chain system.
What is “fake recharge”?
When we talk about “fake top-up” attacks, we usually talk about attackers using certain features of public chains to bypass the top-up and crediting procedures of exchanges and make fake top-ups and real crediting.
With the rise of cross-chain services such as RenVM and THORChain, cross-chain nodes act as exchanges, scanning another public chain for asset transfers and generating asset mappings on the local public chain, which is how THORChain transfers tokens from ethereum to other public chains.
Let’s trace and analyze the cause of this vulnerability from the business logic portal.
First, when handling cross-chain recharge events, the getAssetFromTokenAddress method is called to get token information, and the asset contract address is passed in as a parameter: bifrost/pkg/chkg/chain
In the getAssetFromTokenAddress method, we see that it calls getTokenMeta to get the token metadata, where the asset contract address is also passed in as an argument, but there is a definition here that raises our alarm. ETHsset, if the token symbol corresponding to the contract address is passed in as ETH, then the verification of the symbol here will be bypassed.
Continuing to verify our suspicions, we see that when the token address does not exist in the system, it goes up to get the contract information from the ethereum mainchain and builds a new token with the symbol obtained, at which point all the causes of the vulnerability have been revealed.
- bifrost/pkg/chainclients/ethereum/tokens_db.go - bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go
To summarize, firstly, due to the wrong definition, if the cross-chain top-up ERC20 tokens are symbolized as ETH, then a logical error will occur, resulting in the top-up tokens being identified as real Ether ETH.
Restoring the truth about the attack
Let’s look at the execution of an attack transaction that extracts the address of the top-up token contract.
We view this token contract address on Etherscan at
The token symbol of the contract corresponding to this address was found to be ETH, and it was by deploying a fake coin contract that the attacker completed the fake cross-chain top-up.
EmptyAsset to define empty tokens and use asset.IsEmpty() in the subsequent logic to filter out fake recharge tokens that are not assigned a value.
Fortunately, the project side discovered the attack in time and did not cause huge property loss, but as a cross-chain system, it may gather huge amount of multi-chain funds in the future, and the security should not be neglected, so the Slow Fog security team suggests that when designing a cross-chain system, the characteristics of different tokens of different public chains should be fully considered, and the “fake recharge” test should be fully conducted. Do a good job of state monitoring and early warning, and if necessary, contact a professional security company for security audit.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/fake-coin-face-shifting-trick-technical-breakdown-of-thorchains-cross-chain-system-fake-top-up-vulnerability/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.