THORChain Contract Problems – Approvals Can Drain RUNE Balance

THORChain can't seem to catch a break from it's recent troubles as the token contract for RUNE was exploited again in July 23. What happened?

Dennis Weidner

Dennis Weidner

July 24, 2021 9:42 AM

THORChain Contract Problems – Approvals Can Drain RUNE Balance

THORChain is in hot waters again less than 24 hours after the last hack on July 23. This time it’s actually more serious. Interaction with any malicious contract can allow the attacker(s) to drain your wallet off the RUNE balance! It has worked as follows for now: attacker mass drops a token called UNIH to wallets, it’s worth something so users try to swap it on Uniswap. Before anything can be traded, you have to approve it. But if you do, the attacker can transfer your THORChain RUNE balance to his own wallet!

Someone is airdropping UniH tokens to ETH adresses.

Just ignore : do not exchange them on UniSwap. If you approve it for swaping, the contract will drain your wallet.

How is it even possible? Sadly, it appears that THORChain developers made a critical mistake while writing the code or they just wanted to save their users a few dollars by combining two tx in one. But it was a fatal diversion from solidity design principles and went contrary to what the documentation cautioned against. The surprising is that numerous audits conducted so far failed to report the issue also.

Any contract call can drain all your RUNE, no need for approvals or anything.

1. User calls the contract
2. The contract calls RUNE.transferTo and transfers everything out

That's it, no need for approvals or anything. pic.twitter.com/5m4AJyU0oG

ThorChain Technicalities

The developers at THORChain have used the transferTo function in the code, allowing any contract which interacts with it to transfer the RUNE balance. It uses tx.origin to authenticate the tx on your behalf. Also, it doesn’t check the allowance in the contract before transferring – sort of an infinite approval. It’s a strict no-no. Even the THORChain code documentation notes the danger of using this approach, but somehow they still went with it.

Apparently, the THORChain attacker has dropped the UNIH to thousands of wallets and is now draining their RUNE balance to his own. A clear assessment of the total amount stolen isn’t directly possible. THORChain RUNE price is now showing a 23%+ decline in the last 24 hours and is currently changing hands at around $3.63. It’s essential that users don’t approve smart contracts that aren’t trusted, though the THORChain should certainly do a better job at ensuring the security of the users as they can’t be assumed to know and safeguard themselves against complex vulnerabilities. 

Dennis Weidner
Article By

Dennis Weidner

More articles on Cryptoticker

View All

Regular updates on Web3, NFTs, Bitcoin & Price forecasts.

Stay up to date with CryptoTicker.