Will THORChain get three hits in a row by the same hacker?

According to the analysis and statistics of the SlowMist AML team, the real losses of THORChain’s three attacks are as follows:

On June 29, 2021, THORChain was attacked by “fake deposits”, and lost nearly 350,000 USD;

On July 16, 2021, THORChain was attacked by “fake deposits” for the second time, resulting in a loss of nearly 8 million U.S. dollars;

On July 23, 2021, THORChain was attacked again and again and lost nearly 8 million U.S. dollars.

This can’t help but make people think: the time of the three attacks is so close and the attack technique is so similar, will the same person behind the crime be the same?

The SlowMist AML team used its MistTrack anti-money laundering tracking system to conduct in-depth tracking and analysis of the three attacks, restoring the ins and outs of the entire incident for everyone, and exploring the flow of funds.

The first attack: “fake recharge” vulnerability

Attack overview

This attack occurred due to a logical loophole in the THORChain code, that is, when the ERC20 token symbol for cross-chain recharge is ETH, the loophole will cause the recharged token to be recognized as the real ETH, and then the fake token can be successfully removed. ETH is exchanged for other tokens. Previously, the SlowMist security team also conducted an analysis. For details, see: The face-changing trick of counterfeit currency-technical dismantling of the THORChain cross-chain system “fake recharge” vulnerability.

According to the official review article [1] released by THORChain, the losses caused by this attack are:

9352.4874282 PERP1.43974743 YFI2437.936 SUSHI10.615 ETH

Capital flow analysis

According to the official hacker address, the SlowMist AML team analyzed and sorted out the wallet address related to the attacker as follows:

Will THORChain get three hits in a row by the same hacker?

According to the analysis of the MistTrack anti-money laundering tracking system, the attacker began preparations on June 21, using the anonymous exchange platform ChangeNOW to obtain initial funds, and then deployed the attack contract 5 days later (June 26).

Will THORChain get three hits in a row by the same hacker?

After the attack was successful, multiple profitable addresses transferred the ETH obtained from the attack to Tornado Cash, a currency mixing platform, in order to avoid tracking. The unmixed funds were mainly stored in the wallet address (0xace…d75) and (0x06b.. .2fa) on.

Will THORChain get three hits in a row by the same hacker?

The SlowMist AML team counted the funds on the attacker’s profitable address and found that the official statistics missed part of the loss:

29777.378146 USDT78.14165727 ALCX11.75154045 ETH0.59654637 YFI

Second attack: “false top-up” vulnerability caused by incorrect value

Attack overview

According to the analysis, the attacker called the deposit method of the THORChain Router contract in the attack contract, and the amount parameter passed was 0. Then the attacker’s address initiates a transaction to call the attack contract, and the value (msg.value) of the transaction is set to not 0. Due to the flaw in the THORChain code, when obtaining the user’s recharge amount, the msg.value value in the transaction is used to overwrite Corrected the amount value in the Deposit event, leading to the result of “Empty Glove White Wolf”.

Will THORChain get three hits in a row by the same hacker?Will THORChain get three hits in a row by the same hacker?

According to the official review article [2] released by THORChain, the losses caused by this attack are:

2500 ETH57975.33 SUSHI8.7365 YFI171912.96 DODO514.519 ALCX1167216.739 KYL13.30 AAVE

Capital flow analysis

The analysis of the SlowMist AML team found that the wallet addresses related to the attackers are as follows:

Will THORChain get three hits in a row by the same hacker?

The analysis of the MistTrack anti-money laundering tracking system found that the attacker address (0x4b7…c5a) provided the attacker address (0x3a1…031) with initial funds, and the attacker address (0x4b7…c5a) had initial funds from 10 ETH transferred from Tornado Cash, a currency mixing platform.

Will THORChain get three hits in a row by the same hacker?

After the attack is successful, the relevant addresses all transfer the coins obtained from the attack to the address (0xace…70e).

Will THORChain get three hits in a row by the same hacker?

The profitable address (0xace…70e) has only one transfer record: 10 ETH was transferred through Tornado Cash.

Will THORChain get three hits in a row by the same hacker?

The SlowMist AML team counted the funds on the attacker’s profitable address and found that the official statistics missed part of the loss:

2246.6 SUSHI13318.35 DODO110108 KYL243.929 USDT259237.77 HEGIC

The third attack: refund logic loopholes

Attack overview

Will THORChain get three hits in a row by the same hacker?

This attack is the same as the second attack. The attacker deployed an attack contract as his router, calling the THORChain Router contract in the attack contract. But the difference is that the attacker took advantage of the logic flaw in the THORChain Router contract regarding refunds. The attacker called the returnVaultAssets function and sent a small amount of ETH, and at the same time set the attack contract to asgard. Then when the THORChain Router contract sends ETH to asgard, asgard is the attack contract triggering a deposit event. The attacker constructs asset and amount at will, and at the same time constructs a memo that does not meet the requirements, making the THORChain node program unable to process, and then follow the program design. Will enter the refund logic.

Will THORChain get three hits in a row by the same hacker?

(Screenshot from viewblock.io)

Interestingly, Twitter netizens sorted out the memo in the attack transaction and found that the attacker actually called the THORChain official, saying that it had discovered multiple serious vulnerabilities and could steal assets such as ETH/BTC/LYC/BNB/BEP20.

Will THORChain get three hits in a row by the same hacker?

(Picture from https://twitter.com/defixbt/status/1418338501255335937)

According to the official review article [3] released by THORChain, the losses caused by this attack are:

966.62 ALCX20,866,664.53 XRUNE1,672,794.010 USDC56,104 SUSHI6.91 YEARN990,137.46 USDT

Capital flow analysis

The analysis of the SlowMist AML team found that the wallet addresses related to the attackers are as follows:

Will THORChain get three hits in a row by the same hacker?Will THORChain get three hits in a row by the same hacker?

The analysis of the MistTrack anti-money laundering tracking system found that the initial source of funds for the attacker address (0x8c1…d62) was another attacker address (0xf6c…747), and the address (0xf6c…747) had only the source of funds A record is the 100 ETH transferred from Tornado Cash, and the time is actually December 2020!

After the attack was successful, the attacker transferred the funds to the profitable address (0x651…da1).

Will THORChain get three hits in a row by the same hacker?

Summarize

Through the above analysis, it can be found that the initial funds for the three attacks came from anonymous platforms (ChangeNOW, Tornado Cash), indicating that the attackers have a certain “anti-reconnaissance” awareness, and the transactions of the third attack are all private transactions, which further enhances the attack. The anonymity of the person.

Will THORChain get three hits in a row by the same hacker?

Judging from the wallet addresses involved in the three attacks, there is no overlap, and it is impossible to determine whether they are the same attacker. From the perspective of the scale of funds, from the first attack to the third attack, the amount of funds stolen by THORChain is getting larger and larger, from 140,000 US dollars to nearly 10 million US dollars. However, most of the funds profited from the three attacks have not been realized, and the time between attacks is relatively short. The SlowMist AML team integrated various clues and reasoned that there is a certain possibility that the same person did it.

Up to now, after three attacks, the total balance of the attacker’s fund retention address is nearly 13 million U.S. dollars. After three attacks, THORChain lost more than 16 million US dollars!

Will THORChain get three hits in a row by the same hacker?

(The price of stolen tokens is calculated based on the price when the article was published)

Relying on nearly 200 million address tags in the SlowMist BTI system and the AML system, the SlowMist MistTrack anti-money laundering tracking system fully covers the world’s mainstream exchanges, serving 50+ customers, and recovering more than 200 million US dollars in assets. (For details, see: SlowMist AML is upgraded online, adding more power to asset tracking). In response to the THORChain attack, the SlowMist AML team will continue to monitor the transfer of stolen funds, block all wallet addresses controlled by the attacker, and remind exchanges and wallets to strengthen address monitoring to prevent related malicious funds from flowing into the platform.

The security of the cross-chain system cannot be ignored. SlowMist recommends that when designing the cross-chain system, the project party should fully consider the characteristics of different public chains and different tokens, fully conduct “fake top-up” tests, and contact a professional security company if necessary. security audit.

 

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/will-thorchain-get-three-hits-in-a-row-by-the-same-hacker/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply