Protect Your Project Today
Strengthen your project with the largest web3 security provider.
A CertiK security expert will review your request and follow up shortly.

Post Mortem: Thoreum Finance

Reports ·Incident Analysis ·
Post Mortem: Thoreum Finance

Project name: Thoreum Finance (Jan 19th)

Project type: Token

Date of exploit: Jan 18th, 2023

Asset loss: Around 2,260 WBNB

Vulnerability: Logic issue

Date of audit report publishing: Jul 1st, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Thoreum Finance is a DeFi project providing multiple services such as liquidity mining to its users. Its token contract was upgraded to v4 on Jan 18 and got hacked after the upgrade.

Nature of the Vulnerability

  • The new implementation of Thoreum is unverified, but the _transfer() function is likely flawed when from == to. The sender's balance increases as much as the sent amount.

CertiK Audit Overview

Screenshot 2024-01-11 at 8.31.38 PM

Conclusion

On Jan 18, 2023, Thoreum Finance's token contract v4 was exploited, leading to a loss of around 2,260 WBNB. The attacker took advantage of the flawed implementation in the token contract's transfer function and manipulated its balance.

Based on the announcement from Thoreum team, the vulnerability was raised in the newly updated contract(unverified) deployed on Jan 18th, 2023.

References

Related Blogs

CertiK Ventures Announces Investment in Zoo Finance
News ·Announcements

CertiK Ventures Announces Investment in Zoo Finance

CertiK Ventures is proud to announce our investment in Zoo Finance – a DeFi protocol pioneering the next evolution of blockchain fundraising via its Liquid Node Token (LNT) architecture.

Polter Finance Incident Analysis
Reports ·Incident Analysis

Polter Finance Incident Analysis

On 16 November 2024, Polter Finance was exploited for ~$8.7 million, due to a price manipulation exploit. Polter Finance paused their platform shortly after to investigate.

Dough Finance Incident Analysis
Reports ·Incident Analysis

Dough Finance Incident Analysis

On 12 July 2024, Dough Finance was exploited for ~$2.1m via multiple flash loan transactions. The attacker exploited arbitrary call vulnerabilities in the Dough ConnectorDeleverageParaswap contracts which allowed them to transfer WETH directly from these vulnerable contracts.