Creative attacker steals $76,000 in RUNE by giving out free tokens

Hacks • July 23, 2021, 12:33PM EDT
Partner offers
The Block may may earn a commission if you use our partner offers, at no extra cost to you.

Quick Take

  • A bad actor is executing a rarely seen type of attack in the crypto space.
  • The attack revolves around a non-standard token contract in the RUNE token.
  • The perpetrator has been airdropping UniH tokens, which act as bait.

A rather cunning attack is playing out in the cryptosphere, one that has so far stolen $76,000 in tokens — and it’s only been going for a few hours.

In short, a bad actor is giving out — or airdropping — tokens to various crypto users. This might seem like free money, but it’s a trap. If the recipients spent the tokens, it can enable the perpetrator to steal any Thorchain (RUNE) tokens they happen to own.

"This is a unique exploit that has rarely been used in recent years. But since the attack is so underhanded, it could be quite effective," explained The Block Research’s Eden Au.

How the attack works

What’s happening is the perpetrator has been airdropping UniH tokens to at least 76,000 Ethereum addresses. The intention is that recipients will see these free tokens and try to sell them on a decentralized exchange.

But these tokens come with a malicious contract. And if the person does indeed sell their newly received UniH tokens (or even just approves them to be sold), then the perpetrator can also steal any RUNE tokens they possess in their wallet.

This is able to happen because RUNE tokens use a non-standard token contract, called “tx.origin.” This specific token contract is not used in the ERC-20 token standard — used by most Ethereum-based tokens — because of its risks. 

What happens is that the UniH tokens carry malicious code that will automatically transfer the user’s RUNE tokens to another wallet (presumably owned by the perpetrator) if approved. 

The only thing it needs is for the user to “call” the contract (i.e. set it in motion). But if the user goes to a decentralized exchange to sell the UniH tokens, it does exactly that — automatically displacing their RUNE tokens.

According to Thorchain’s RUNE token contract code, it was aware that this type of attack could happen. “Beware phishing contracts that could steal tokens by intercepting tx.origin,” it states, when referring to the approval of transactions.

This exploit comes on the same day that Thorchain suffered its third exploit in a month. The network for running cross-chain swaps has now lost a total of $13 million due to a variety of bugs. Supporters maintain that it’s still in a kind of beta form — albeit with real money — and that bugs are expected; hence why they affectionately refer to the network as a “Chaosnet.”


© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

AUTHOR

Tim Copeland profile picture Tim Copeland

Tim Copeland is the Head of Growth at The Block and host of The Crypto Beat, a live-streaming podcast. He was previously the company's Editor-in-Chief and spent seven years covering the industry as a journalist. Prior to joining The Block, Tim was a news editor at Decrypt. He earned a bachelor's degree in philosophy from the University of York and studied news journalism at Press Association Training. Follow him on X @Timccopeland.

See More
Connect on

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News
Connect with the block on

More by Tim Copeland