Holders of THORChain tokens (RUNE) lost at least $76,000 during the attack that began a few hours ago.
The attacker sent UniH tokens to thousands of addresses in the expectation that the owners would try to sell them on decentralized exchanges. In reality, the airdrop is a trap, and the token contract contains malicious code. If you simply approve transactions with UniH tokens in your wallet, the hacker will also be able to withdraw the RUNES that are in it.
"This is a unique exploit that has been rarely used in recent years. But, since the attack is so clever, it can be quite effective, " said Eden Au, a researcher at The Block.
RUNE uses a non-standard token contract "tx. origin". It is not involved in other tokens of the most common Ethereum ERC20 standard due to the inherent risks. When a user accesses a UniH contract, he automatically approves the output of his runes.
"Any contract can steal all your runes, you don't even need approvals or anything like that," writes the lead developer of the Yearn.Finance project under the nickname banteg. - In the documentation of the [Ethereum smart contract programming language] Solidity the "transferTo" function is literally given as an example of what should not be done."
The THORChain developers actually noted the presence of such an attack vector in the RUNE contract.
"Beware of phishing contracts that can steal your tokens by intercepting tx. origin," says the comments to the code.
Just this night, THORChain itself was subjected to a hacker attack, the third in the last month, having lost a total of $13 million during this time due to various bugs.
"This was our choice during the development process. The contract will not be able to steal RUNE if you do not apply to it," the THORChain developers commented on the situation.