Project name: Thoreum Finance (Jan 19th)
Project type: Token
Date of exploit: Jan 18th, 2023
Asset loss: Around 2,260 WBNB
Vulnerability: Logic issue
Date of audit report publishing: Jul 1st, 2021
Conclusion: Out of Audit Scope
Thoreum Finance is a DeFi project providing multiple services such as liquidity mining to its users. Its token contract was upgraded to v4 on Jan 18 and got hacked after the upgrade.
_transfer()
function is likely flawed when from == to
. The sender's balance increases as much as the sent amount.On Jan 18, 2023, Thoreum Finance's token contract v4 was exploited, leading to a loss of around 2,260 WBNB. The attacker took advantage of the flawed implementation in the token contract's transfer function and manipulated its balance.
Based on the announcement from Thoreum team, the vulnerability was raised in the newly updated contract(unverified) deployed on Jan 18th, 2023.