• By giving up free tokens, a clever attacker takes $76,000 in RUNE

  • In the cryptosphere, a sophisticated attack is taking place that has so far taken $76,000 in tokens – and it’s only been underway for a few hours.

    In other words, a malicious actor is distributing — or airdropping — tokens to various cryptocurrency users. This may appear to be free money, but it is a ruse. If the recipients spend the tokens, the culprit may be able to steal any Thorchain (RUNE) tokens they own.

    “This is a one-of-a-kind exploit that has only been exploited a few times in recent years. However, because the attack is so devious, it has the potential to be highly effective “Eden Au of The Block Research explains.

    The attack’s mechanism

    UniH tokens have been airdropped to at least 76,000 Ethereum addresses, according to the culprit. The goal is for recipients to notice the free tokens and attempt to sell them on a decentralized exchange.

    However, these tokens are accompanied by a harmful contract. If the victim sells their freshly received UniH tokens (or even just confirms their sale), the culprit can also take any RUNE tokens they have in their wallet.

    Because RUNE tokens use a non-standard token contract named “tx.origin,” this is possible. Because of its hazards, this unique token contract is not included in the ERC-20 token standard, which is utilized by most Ethereum-based tokens.

    The UniH tokens contain malicious code, which, if allowed, will automatically move the user’s RUNE tokens to another wallet (probably owned by the culprit).

    The sole need is that the user “calls” the contract (i.e. set it in motion). However, if the user goes to a decentralized exchange to sell UniH tokens, their RUNE tokens are instantly displaced.

    Thorchain’s RUNE token contract code stated that it was aware of the possibility of such an attack. When it comes to transaction acceptance, it warns, “Beware phishing contracts that could steal tokens by intercepting tx.origin.”

    This vulnerability was discovered on the same day as Thorchain’s third in a month. Due to a multitude of problems, the network for executing cross-chain swaps has already lost a total of $13 million. Supporters argue that the network is still in beta mode — albeit with real money — and that bugs are to be expected, which is why they call it a “Chaosnet.”

    What's your reaction?