Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Thorchain is a cross chain bridging platform with DeFi elements. In the Thorchain router on EVM, there is a call made to an arbitrary contract with a low level call. If this fails, then an ETH transfer is attempted to be made to the target. If this fails, then the msg.sender is simply refunded. Naturally, the refund amount is just msg.value.

There are two functions that can trigger this functionality: transferOutAndCallV5 and batchTransferOutAndCallV5. When calling this function in a loop, it will reuse msg.value multiple times and refund this to the user. This allows all ETH from the contract to be stolen.

The vulnerability was only rated as medium by the judges instead of high like the author proposed. My guess is that the router shouldn't normally have ETH, making it a way to steal value when people send it their by accident. Besides the stealing of funds, it leads to a self-DoS is more than one revert occurs and there is no funds in the contract.

Using msg.value in loops is bad practice because of this. Instead, the amount of funds being sent should be kept in a separate variable and should not be more than the value passed in originally. Regardless, a great find and a solid write up!