Creative attacker steals $76,000 in RUNE by giving out free tokens

Quick Take

  • A bad actor is executing a rarely seen type of attack in the crypto space.
  • The attack revolves around a non-standard token contract in the RUNE token.
  • The perpetrator has been airdropping UniH tokens, which act as bait.

A rather cunning attack is playing out in the cryptosphere, one that has so far stolen $76,000 in tokens — and it’s only been going for a few hours.

In short, a bad actor is giving out — or airdropping — tokens to various crypto users. This might seem like free money, but it’s a trap. If the recipients spent the tokens, it can enable the perpetrator to steal any Thorchain (RUNE) tokens they happen to own.

"This is a unique exploit that has rarely been used in recent years. But since the attack is so underhanded, it could be quite effective," explained The Block Research’s Eden Au.

How the attack works

What’s happening is the perpetrator has been airdropping UniH tokens to at least 76,000 Ethereum addresses. The intention is that recipients will see these free tokens and try to sell them on a decentralized exchange.

But these tokens come with a malicious contract. And if the person does indeed sell their newly received UniH tokens (or even just approves them to be sold), then the perpetrator can also steal any RUNE tokens they possess in their wallet.

This is able to happen because RUNE tokens use a non-standard token contract, called “tx.origin.” This specific token contract is not used in the ERC-20 token standard — used by most Ethereum-based tokens — because of its risks. 

What happens is that the UniH tokens carry malicious code that will automatically transfer the user’s RUNE tokens to another wallet (presumably owned by the perpetrator) if approved. 

The only thing it needs is for the user to “call” the contract (i.e. set it in motion). But if the user goes to a decentralized exchange to sell the UniH tokens, it does exactly that — automatically displacing their RUNE tokens.

According to Thorchain’s RUNE token contract code, it was aware that this type of attack could happen. “Beware phishing contracts that could steal tokens by intercepting tx.origin,” it states, when referring to the approval of transactions.

This exploit comes on the same day that Thorchain suffered its third exploit in a month. The network for running cross-chain swaps has now lost a total of $13 million due to a variety of bugs. Supporters maintain that it’s still in a kind of beta form — albeit with real money — and that bugs are expected; hence why they affectionately refer to the network as a “Chaosnet.”

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.