Hacker exploits EOS smart contract to steal $200K from gambling app
“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” an EOSBet spokesperson informed users. “This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”
EOSBet devs have since taken the dApp offline while the devs figure out exactly what happened. A spokesperson does admit that hackers were only successful due to a fault in its code.
“[EOSBet] should be back online relatively quickly. We have narrowed down the bug to a faulty assertion statement in our code.” the EOSBet spokesperson added. “After talking with other developers and BPs, it seems like other games were also attacked using this same exact code (abi forwarder.)”
It appears hackers were able to call EOSBet’s ‘transfer’ function externally using a fake hash. This tricked EOSBet’s system into illegitimately sending a huge amount of EOS. A keen-eyed Redditor was the first to share the discovery. Hard Fork has since corroborated the hack is indeed authentic.
Taking a look at the EOS blockchain, though, we can see some curious events. It seems scammers, inspired by Twitter’s cryptocurrency scambots, have invaded the EOS blockchain in order to take advantage of the current chaos.
Small amounts of EOS have been sent to the attacker’s account with some threatening messages attached. Using an account name very similar to the official EOSBet wallet, someone is sending seemingly official communication in a bid to appear legit:
The message roughly translates to:
Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.
Then, the fake account proceeds to offer a reimbursement service in order to capitalize on the situation still developing. Scammers are attempting to trick users into believing that EOSBet is reimbursing its customers for any funds stolen. At time of writing, EOSBet has made no such declarations.
Note, the official EOSBet account is ‘eosbetdice11’, not ‘eosbetdicell’. Pretty sneaky.
Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.
It remains unclear if today’s breach is somehow connected to other unusual activity taking place on EOSBet in the past few days. Earlier this week, a lucky gambler claimed over $600,000 from EOSBet, winning 36 consecutive bets.
For what it’s worth, at the time, an EOSBet spokesperson was absolutely adamant that the platform had not been hacked and that all bets on the platform were legitimate, including that $600,000.
What a difference just one day makes.
Published September 14, 2018 — 10:59 UTC