A gambling application that is based on the EOS blockchain has had a flaw in its smart contract system exploited. Hackers were able to make off with $200,000 worth of EOS due to the vulnerability.
EOSBet Taken Offline Following Security Breach
Those behind today’s attack exploited a weakness in one of the EOSBet platform’s smart contracts. Following the incident, the service was taken offline whilst developers tried to pinpoint exactly how such an attack was possible.
According to a report by TheNextWeb, an EOSBet spokesperson has stated:
“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll… This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”
They added that the service should resume full functionality “relatively quickly” and that the incident was caused by a fault within the coding of one of their games. In addition, it appears that the hackers were able to target numerous games with the same code.
It seems that those behind the attack were able to trick the EOSBet’s transfer funds function by using a fake hash. The discovery was first made public by a member of the EOSBet Reddit community. The post by user “thbourlove” showed the code used to exploit the vulnerability. This was responded to by the platform’s official Reddit account:
“Yep, we were hacked. But we also have this exact assertion that you do. I would be careful, it’s a bit deeper than you think.”
It seems that those responsible for the attack have attempted to make the transfers off the platform to the attacker’s wallet appear legitimate by creating an account that looks very similar to that of the official EOSBet wallet. They received small transactions from a number of accounts accompanied by the following message and other similar ones:
“Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.”
Taking a leaf out of the Twitter-bot scammers’ playbook of spreading ill gotten gains thinly across many wallets, the fake account then sent out many small amounts of EOS tokens to several accounts with this message:
“Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.”
Presumably, the hope is that the disbursement is meant to resemble an official refund for players impacted by the breach.
Although the figures involved are much smaller, the incident is all too reminiscent of the DAO hack on the Ethereum network. There, a smart contract vulnerability was exploited allowing attackers to make off with millions of dollars of investors ETH tokens. It was the response the this that caused the fork that created Ethereum Classic. Clearly, far greater care needs be taken by developers hoping to use smart contracts in their dApps.