Back to all stories
Blogs
Incident Analysis
Post Mortem: Thoreum Finance
1/8/2024
Post Mortem: Thoreum Finance

Project name: Thoreum Finance (Jan 19th)

Project type: Token

Date of exploit: Jan 18th, 2023

Asset loss: Around 2,260 WBNB

Vulnerability: Logic issue

Date of audit report publishing: Jul 1st, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Thoreum Finance is a DeFi project providing multiple services such as liquidity mining to its users. Its token contract was upgraded to v4 on Jan 18 and got hacked after the upgrade.

Nature of the Vulnerability

  • The new implementation of Thoreum is unverified, but the _transfer() function is likely flawed when from == to. The sender's balance increases as much as the sent amount.

CertiK Audit Overview

Screenshot 2024-01-11 at 8.31.38 PM

Conclusion

On Jan 18, 2023, Thoreum Finance's token contract v4 was exploited, leading to a loss of around 2,260 WBNB. The attacker took advantage of the flawed implementation in the token contract's transfer function and manipulated its balance.

Based on the announcement from Thoreum team, the vulnerability was raised in the newly updated contract(unverified) deployed on Jan 18th, 2023.

References