Hacker Uses EOS Smart Contract Exploit to Steal $240k

Hacker Uses EOS Smart Contract Exploit to Steal $240k

Just days after mocking EOS-based gambling platform DEOSGames for being hacked, EOSBet Casino’s dice gaming dApp – EOSBet Dice – was itself hacked. By exploiting vulnerabilities in the platform’s smart contracts, the hacker was able to siphon off roughly 44,400 EOS – worth more than $240,000 at current market prices.

EOSBet Left with Egg on Its Face – and a $240,000 Lighter Wallet

Smart Contract Flaws Run Rampant in EOS dApp Ecosystem

The EOSBet platform isn’t the only EOS dApp to lose out to smart contract security flaws over the last week, however—the EOSBet team was quick to mock competitor DEOS Games for the loss of $24,000 in EOS due to a smart contract exploit in a tweet that has since been deleted:

“DEOS Games, a clone and competitor of our dice game, has suffered a severe hack today that drained their bankroll. As of now every single dice game and clone site has been hacked. We have the biggest bankroll, the best developers, and a superior UI. Play on.”

EOS transaction records show a DEOS Games user receiving jackpot payouts from the platform 24 times in a row, yielding 4,728 EOS in less than an hour.

EOSBet is learning firsthand that karma is a right bitch.

Just days after taking to Twitter to mock competitor DEOSGames for being hacked, EOSBet found themselves in similar straits.

On September 14, at approximately 3:00 am UTC, a hacker going by the pseudonym aabbccddeefg exploited a vulnerability in EOSBet Dice’s smart contracts and managed to steal a reported 44,428.4302 EOS from EOSBet’s operating wallet.

At current market prices, the theft is valued at over $245,000.

An EOSBet spokesperson confirmed the hack, stating:

A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll. […] This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.

Following the hack, EOSBet took its dice dApp offline while they attempted to ascertain exactly what happened.

According to Hard Fork, Redditor u/thbourlove was the first to share the discovery of the vulnerability, which allowed the hacker to call EOSBet’s ‘transfer’ function externally, using a fake hash. In a detailed explanation of the hack on Reddit, EOSBet explained that the exploit essentially allowed the hacker to place bets on the platform without having to transfer EOS to the contract. The hacker incurred no losses on a losing bet but a winning bet paid out real EOS from the contract, which he or she then withdrew.

In this particular instance, 23 transactions sent varying amounts to the hacker’s account in the span of less than five minutes:

EOSBet hacker transactions

After patching the vulnerability, EOSBet was able to get the dice game back online that same day.

EOSBet has announced that new security measures such as more robust internal code testing, third party auditing, and improved smart contract monitoring will prevent further smart contract exploits. The EOS security ecosystem has remained a prime target for enterprising hackers both black and white hat—to date, EOS bug bounties have paid out more than $416,000 in 2018 thus far.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.