Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$18 000 USD

MAY 2024

GLOBAL

TCH TOKEN

DESCRIPTION OF EVENTS

Address: https://bscscan.com/address/0x5d78cfc8732fd328015c9b73699de9556ef06e8e

 

Unclear if potentially related: https://bscscan.com/address/0x9c6c2617D408F50fEF599A3e03c4c464293fdAD3|Jun 7, 2024 https://tchtoken.com/|Jun 7, 2024 https://www.tradingview.com/symbols/TCHUSDT/minds/|Jun 7, 2024 https://etherscan.io/token/0x9972a0f24194447e73a7e8b6cd26a52e02ddfad5|Jun 7, 2024 https://coinpaprika.com/coin/tch-tch-token/|Jun 7, 2024 https://bscscan.com/token/0xc9586f53cd7bd2b1fa3549218e9756306cd09053|Jun 7, 2024 https://bscscan.com/address/0x5d78cfc8732fd328015c9b73699de9556ef06e8e|Jun 7, 2024

 

"The vulnerable contract has a burnToken function that verifies a signature for authorization. To prevent signature replay it stores the used signatures in a mapping which can be bypassed if a signature is tampered."

 

"TCH token has been exploited for 18k due to a CTF-style signature malleability"

 

"The vulnerable contract has a burnToken function that verifies a signature for authorization. To prevent signature replay it stores the used signatures in a mapping which can be bypassed if a signature is tampered."

 

"The attacker harvested previously submitted signatures and modified the `v` part of the signature: instead of 0x01 they submitted 0x1c (28). As a result the signature was successfully verified with ecrecover, however a different sig was stored in the mapping."

 

"As a result the attacker burned lots of TCH tokens owned by the PancakeSwap pair, which allowed him to manipulate the price in the pool and take the profit."

 

$18-$19k

 

"According to the SlowMist security team's monitoring, the TCH token on the BNBChain has been continuously attacked due to a malleability issue, resulting in a loss of approximately $19,000."

 

"We have detected that the $TCH token is being continuously exploited due to malleability issue."

 

Explore This Case Further On Our Wiki

The TCH Token on the Binance Smart Chain doesn't appear to have an official website or social media, but multiple security firms found that this smart contract had been exploited and $18-$19k were drained from the smart contract. Given that there is no indication who is behind the token, it would seem unlikely that any resolution is available for affected users.

SlowMist Hacked - SlowMist Zone (Jun 6)
@SlowMist_Team Twitter (Jun 7)
TCHtoken | Address 0x5d78cfc8732fd328015c9b73699de9556ef06e8e | BscScan  (Jun 7)
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan  (Jun 7)
x.com (Jun 7)
https://defimon.xyz/attack/bsc/0xa94338d8aa312ed4b97b2a4dcb27f632b1ade6f3abec667e3bf9f002a75dabe0 (Jun 7)
TCH (TCH) Token Tracker | BscScan  (Jun 7)
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan  (Jun 7)
PooCoin BSC Charts (Jun 7)
https://apespace.io/bsc/0x5d78cfc8732fd328015c9b73699de9556ef06e8e (Jun 7)
https://www.dexanalyzer.io/bsc/0x5d78CFc8732fd328015C9B73699dE9556EF06E8E (Jun 7)

Sources And Further Reading

More case studies

Notcoin Fake Ethereum
Token Rug Pull

Sonne Finance Refund
Phishing Attack

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.