(technical community)

Analysis

From Leena

* The bug is in the ETH Bifrost, and not the router
* The attacker wrapped the router with their own contract, which they called with a msg.value of 200, but their own contract called into the router with a call value of 0 and a deposit amount of 0
* The bifrost ultimately read the msg.value, with is 200, and not the final deposit amount, which was 0

Bifrost reads the deposit amount of 0:
<https://gitlab.com/thorchain/thornode/-/blob/develop/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L794>

Bifrost over-rides back to tx.value() 
<https://gitlab.com/thorchain/thornode/-/blob/develop/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L856>

The reason why the over-ride is to facilitate another router function of vaultTransferEvent where msg.value needs to be parsed. 

The fix is to make the over-ride only happen if it specifically is a vaultTransferEvent

Next steps will be established soon, including recovery and return to solvency. If a community member wishes to help, it would be to get an accurate assessment of the attacks, their amounts, and the loss to the network

Observations

• Pool prices of various ETH-based assets were manipulated.
  • Ether hit ~$350
  • YFI hit ~$259,640
  • Rune on Thorchain @ $4.66, on Binance RUNEUSDT @ $5.373 (7:44pm UTC)
• Attacker sent ETH from his 0x3a19 address to his smart contract
  • His smart contract "did something"
  • His smart contract returned his ETH to his 0x3a19 address
• ETH pool LPs see an excess of ETH but are missing RUNE
• Targeted token LPs are missing the token, but should be excess in RUNE
• Network solvency shows to be negative around 13,000 ETH but the hacker retains around 2,500 ETH, 57,975.33 SUSHI, 8.7365 YFI, 171,912.96 DODO, 514.519 ALCX, 1,167,216.739 KYL, and 13.30 AAVE.
• The 2,500 ETH was used in a looped fashion, triggering the exploit again each time this ETH was refunded.
• Because the pools use RUNE to exchange value between each other, when the asset's price went up and ETH's price went down.

POIs

Attacker Wallet: https://etherscan.io/address/0x3a196410a0f5facd08fd7880a4b8551cd085c031

Contract Address: https://etherscan.io/address/0x4a33862042d004d3fc45e284e1aafa05b48e3c9c

Tornado Address: https://etherscan.io/address/0x4b713980d60b4994e0aa298a66805ec0d35ebc5a

New Hacker Wallet 07-19: https://etherscan.io/address/0xace2d948fc7ea3bc49eee5526786d66d19bc470e

Wallet Tx Count: 47

Wallet ERC TX Count: 261

Contract Tx Count: 48