SlowMist: Analysis of Three Consecutive Attacks on THORChain (Released in 2021)
According to the analysis and statistics by the SlowMist AML team, THORChain suffered three attacks with the following actual losses:
On June 29, 2021, THORChain was hit by a “fake deposit” attack, resulting in a loss of nearly $350,000.
On July 16, 2021, THORChain was hit by a “fake deposit” attack for the second time, resulting in a loss of nearly $8 million.
On July 23, 2021, THORChain was hit for the third time, resulting in a loss of nearly $8 million.
This begs the question: with such close attack times and similar attack methods, is it the same person behind the attacks?
The SlowMist AML team used its MistTrack anti-money laundering tracking system to conduct an in-depth analysis of the three attacks, revealing the entire history of the events and exploring the flow of funds.
First Attack: “Fake Deposit” Vulnerability
Attack Overview
The attack was caused by a logical flaw in THORChain’s code. When the ERC20 token symbol for cross-chain deposits was ETH, the flaw caused the deposited tokens to be identified as genuine ETH, which allowed the attacker to successfully exchange fake ETH for other tokens. The SlowMist Security Team has previously analyzed this vulnerability, see: “Technical analysis of the ‘fake deposit’ vulnerability in the THORChain cross-chain system.”
According to the official THORChain postmortem [1], the loss caused by this attack was:
- 9352.4874282 PERP
- 1.43974743 YFI
- 2437.936 SUSHI
- 10.615 ETH
Analysis of the Flow of Funds
Based on the hacker address provided by the official THORChain, the SlowMist AML team analyzed and compiled the following information on the attacker’s wallet addresses:
Using the MistTrack anti-money laundering tracking system, the AML team found that the attacker began preparing on June 21st and obtained initial funds through anonymous exchange platform ChangeNOW, before deploying the attack contract five days later on June 26th.
After the successful attack, multiple profit addresses transferred the ETH obtained from the attack to the Tornado Cash mixer to evade tracking. The funds that were not mixed mainly remained in the wallet addresses (0xace…d75) and (0x06b…2fa).
The AML team found that the official statistics on the attacker’s profit addresses had omitted some losses, including:
- 29777.378146 USDT
- 78.14165727 ALCX
- 11.75154045 ETH
- 0.59654637 YFI
Second Attack: “Fake Deposit” Vulnerability Caused by a Value Error
Attack Overview
According to the analysis, the attacker called the deposit method of the THORChain Router contract with an amount parameter of 0 in the attack contract. Then the attacker’s address initiated a transaction that called the attack contract, setting the value (msg.value) of the transaction to a non-zero value. Due to a defect in the THORChain code, when obtaining the user’s deposit amount, the amount value in the correct Deposit event was overwritten by the msg.value value in the transaction, resulting in the “empty-handed” result.
According to the official THORChain postmortem [2], the loss caused by this attack was:
- 2500 ETH
- 57975.33 SUSHI
- 8.7365 YFI
- 171912.96 DODO
- 514.519 ALCX
- 1167216.739 KYL
- 13.30 AAVE
Analysis of the Flow of Funds
The SlowMist AML team found the following information regarding the attacker’s wallet addresses:
Analysis from the MistTrack AML system shows that the attacker address (0x4b7…c5a) provided initial funds to the attacker address (0x3a1…031) in the first attack, and the initial funds of the attacker address (0x4b7…c5a) came from 10 ETH transferred from the Tornado Cash mixer platform.
After the successful attack, all related addresses transferred the stolen funds to the profit address (0xace…70e).
The profit address (0xace…70e) only had one outgoing transaction: a transfer of 10 ETH through Tornado Cash.
The AML team at SlowMist analyzed the funds on the attacker’s profit address and found that the official statistics had missed some losses:
- 2246.6 SUSHI
- 13318.35 DODO
- 110108 KYL
- 243.929 USDT
- 259237.77 HEGIC
Third Attack: Refund Logic Vulnerability
Attack Overview
In this attack, similar to the second attack, the attacker deployed an attack contract as their router and called the THORChain Router contract in the attack contract.
However, the attacker used a refund logic vulnerability in the THORChain Router contract, calling the returnVaultAssets function and sending a small amount of ETH while setting the attack contract as Asgard. When the THORChain Router contract sent ETH to Asgard, which is the attack contract, it triggered a deposit event, and the attacker constructed an arbitrary asset and amount, along with a memo that did not meet the requirements, causing the THORChain node program to be unable to process it and triggering the refund logic.
Interestingly, a Twitter user compiled the memo from the attack transaction and found that the attacker was calling out THORChain officials, claiming to have discovered multiple severe vulnerabilities that could steal assets such as ETH/BTC/LYC/BNB/BEP20.
According to THORChain’s official post-mortem article [3], the losses from this attack were:
- 966.62 ALCX
- 20,866,664.53 XRUNE
- 1,672,794.010 USDC
- 56,104 SUSHI
- 6.91 YEARN
- 990,137.46 USDT
Fund Flow Analysis
The SlowMist AML team analyzed the attacker’s related wallet addresses, which are shown in the image.
MistTrack AML system analysis found that the initial funds for the attacker address (0x8c1…d62) came from another attacker address (0xf6c…747), and the funds for that address (0xf6c…747) came from only one record, a transfer of 100 ETH from Tornado Cash, and the time was surprisingly December 2020.
After the successful attack, the attacker transferred the funds to the profit address (0x651…da1).
Summary
The initial funds for all three attacks came from anonymous platforms (ChangeNOW, Tornado Cash), indicating that the attackers had some “counter-surveillance” awareness, and the transactions in the third attack were all private transactions, further enhancing the attacker’s anonymity.
From the perspective of the wallet addresses involved in the three attacks, there were no coincidences, so it is impossible to determine whether it was the same attacker. From the perspective of the scale of funds, the amount stolen from THORChain increased from $140,000 in the first attack to nearly $10 million in the third attack. However, most of the funds stolen in the three attacks were not cashed out, and the time between attacks was relatively short. The SlowMist AML team integrated various clues and inferred that it is possible that the same person was behind the attacks.
As of now, the attacker’s remaining funds in the attacked addresses add up to nearly 13 million US dollars, while THORChain has lost over 16 million US dollars due to the three attacks.
Leveraging the SlowMist BTI system and AML system, which have tagged nearly 200 million addresses, the SlowMist MistTrack Anti-Money Laundering (AML) tracking system covers major exchanges worldwide and has served over 50 clients, recovering assets totaling over 200 million US dollars (see: SlowMist AML upgrade goes live, adding more power to asset tracking). In response to the THORChain attack, the SlowMist AML team will continue to monitor the transfer of stolen funds, blacklist all wallet addresses controlled by the attacker, and remind exchanges and wallets to strengthen address monitoring and prevent the influx of related malicious funds into their platforms.
The security of cross-chain systems cannot be ignored. SlowMist Technology recommends that project teams fully consider the characteristics of different public chains and tokens when designing cross-chain systems, conduct thorough “fake deposit” tests, and if necessary, engage professional security companies for security audits.
References:
THORChain official retrospective articles:
[1] https://medium.com/thorchain/eth-parsing-error-and-exploit-3b343aa6466f
[2] https://thearchitect.notion.site/THORChain-Incident-07-15-7d205f91924e44a5b6499b6df5f6c210
[3] https://thearchitect.notion.site/THORChain-Incident-07-22-874a06db7bf8466caf240e1823697e35
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
