First Report about Thoreum token exploit on Jan-18 - 2023
Dear our community,
Thanks to your support, things have already come back to normal, we have the time to stay to wrap up what happened in the exploit that just happened 10 hours ago.
- Jan-18–2023 07:01:05 AM +UTC, Thoreum was updated to v4 with many new features. Unfortunately we have a transfer bug that if a wallet sends funds to itself, the amount of tokens in the wallet will be increased by as much as the sent amount. We have a thorough check for it but somehow it was missed in the final production version.
- V4 Contract upgrade tx: https://bscscan.com/tx/0x5a0a32d646252d8ae0844de2aff793ef1412ebbcc2531cfcb6fb83000619a6f2
2. Jan-19–2023 04:51:17 AM +UTC, An exploiter found out this bug and created an exploiting contract that sent itself millions of Thoreumv4 and made a series of 36 sells on the market to drain Biswap liquidity, at that time being at 3321.29 BNB before the exploit.
- Exploiter address 1: https://bscscan.com/address/0x1ae2dc57399b2f4597366c5bf4fe39859c006f99
- Exploiter address 1 create the Exploiting contract: https://bscscan.com/tx/0xfe6284a4a156a77d3b71de485cccebb06349666fb09f0a42e95c4a689dce64ab
- Exploiting contract and its actions: https://bscscan.com/address/0x7d1E1901226E0ba389BfB1281EDE859e6E48CC3d
3. The BNB was drained quickly in about 34 minutes, from 05:01:47 AM +UTC to 05:35:14 AM +UTC. Thanks to Thoreum transfer tax, not all the BNB was sent to the hacker but part of it was sent to tax receiving addresses. All the after tax WBNB were sent to Exploiter address 2.
- Exploiter 2 receiving WBNB from sells: https://bscscan.com/address/0x1285fe345523f00ab1a66acd18d9e23d18d2e35c#tokentxns
4. The total number of WBNB exploited is 2,261.48 WBNB. Only 181.96 WBNB stay in the liquidity pool. The exploiter converted all of the stolen funds to BNB.
- Exploiter address 2: https://bscscan.com/address/0x1285fe345523f00ab1a66acd18d9e23d18d2e35c
- Exploiter address 2 converted stolen funds to BNB: https://bscscan.com/tx/0xcd79a278fec119526290435aa46ea6b68a1e0fc3ac5a0208b6660a736b653b2a and https://bscscan.com/tx/0xda916274a5b9b6d3bce659cafb19b5a0419fea310b9c80727ecd281ca7106d59 and https://bscscan.com/tx/0x68603aa2cd1beb87f8af97b58ca4385fb84e4b773994aca669b91bb44fd1ea15
5. Exploiter address 2 deposited these BNB to Tornado Cash to launder his money. 2150 BNB was deposited to Tornado Cash Contract; 108.75 BNB left in his wallet.
6. 30 minutes later, at 06:07:59 AM +UTC We found out about the exploit and immediately stopped all token transfer.
7. We quickly organized an emergency team, and found out the bug in our code about 30 minutes later. We fixed the code, upgraded the contract, and figured out a way to recover the token liquidity.
8. We then added BNB back to liquidity from our treasury and our tax receiving wallets. In about 6 hours, a total of 3700 BNB was used to add to liquidity. Of which, 2700 BNB comes from our treasury and 1000 BNB comes from our tax receiving wallets.
9. The reason we add 500 BNB more to the contract is, if we just add 3200 BNB, the liquidity can come back to the state before the exploit, but the value of THOREUM-BNB LP token will be less than the value before the exploit because more tokens have come to circulation due to the bug. This will greatly affect all the stakers in Thoreum BNB Miner, BNB Garden and Thoreum Bank. That’s why we decided to add 500 BNB more so no one will lose their staked token’s value.
10. Now our liquidity is 500 BNB bigger than before the exploit, this means the price floor will be higher for Thoreumv4 in the long run.
12. The protocol has come back to normal and trading is enabled at 11:18:10 AM +UTC.
13. We find out that the hacker’s wallet is funded from Binance Exchange Hot Wallet, Binance has KYCed all their customers, so this mean we can use this information to track down who and where he is.
- Exploiter address 1 was funded from Binance Exchange Hot Wallet: https://bscscan.com/tx/0x9396731b5a00db45d46abf0f090662f71b22ed05c40fb64d3fb523c50e5364f3 and https://bscscan.com/tx/0x42f6ad904a509755e3f1cf46d8bb44216123c521da16bdd1d4a65bf5e899f25b
14. We have been contacted by Binance Security team and formed a task force to follow this incident. We are working with the team to track down the hacker and make him pay for his actions.
15. We are also contacting Cyber Security Police to help us with this incident.
This is a quick sum-up of what happened to our protocol in the last 10 hours. Please follow our telegram channel, we will update you when we have more time and more information.
Thank you very much for your patience and support.
Thoreum Team
