Post Mortem: Thoreum Finance

Project name: Thoreum Finance (Jan 19th)

Project type: Token

Date of exploit: Jan 18th, 2023

Asset loss: Around 2,260 WBNB

Vulnerability: Logic issue

Date of audit report publishing: Jul 1st, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Thoreum Finance is a DeFi project providing multiple services such as liquidity mining to its users. Its token contract was upgraded to v4 on Jan 18 and got hacked after the upgrade.

Nature of the Vulnerability

The new implementation of Thoreum is unverified, but the _transfer() function is likely flawed when from == to. The sender's balance increases as much as the sent amount.

CertiK Audit Overview

Screenshot 2024-01-11 at 8.31.38 PM

Conclusion

On Jan 18, 2023, Thoreum Finance's token contract v4 was exploited, leading to a loss of around 2,260 WBNB. The attacker took advantage of the flawed implementation in the token contract's transfer function and manipulated its balance.

Based on the announcement from Thoreum team, the vulnerability was raised in the newly updated contract(unverified) deployed on Jan 18th, 2023.

References

Thoreum Finance's announcement

CertiK Ventures Announces Investment in Zoo Finance

CertiK Ventures is proud to announce our investment in Zoo Finance – a DeFi protocol pioneering the next evolution of blockchain fundraising via its Liquid Node Token (LNT) architecture.

2025년 2월 11일

보고서 ·사고 분석

Polter Finance Incident Analysis

On 16 November 2024, Polter Finance was exploited for ~$8.7 million, due to a price manipulation exploit. Polter Finance paused their platform shortly after to investigate.

2024년 11월 18일

보고서 ·사고 분석

Dough Finance Incident Analysis

On 12 July 2024, Dough Finance was exploited for ~$2.1m via multiple flash loan transactions. The attacker exploited arbitrary call vulnerabilities in the Dough ConnectorDeleverageParaswap contracts which allowed them to transfer WETH directly from these vulnerable contracts.

2024년 7월 16일