Having successfully carted away a significant amount on the EOSBet gambling dApp barely a month ago, hackers have found another loophole as they have struck for the second time, hauling away EOS tokens worth about $338,000. A screenshot of three illegal transactions showed the hackers’ account siphoning 65,000 EOS (approximately $338,000) from the operational wallet of the gambling dApp.
The automated dice game has become the casualty of a seemingly weak security mechanism. The thieves tricked its smart contracts into wrongly crediting their accounts with large amounts of cryptocurrencies after injecting malicious codes into standard EOS accounts.
The EOS team is yet to divulge the gravity of the latest damage, but a block producer admitted the presence of a loophole, thereby calling for a more rigorous verification process. The statement via Medium read in part:
“Vulnerability has been discovered in multiple contracts using notification from other contracts. All parameters from notification need to be explicitly checked as checking only contract name, and action name is not sufficient.”
Malicious Codes into EOS Wallets
Hackers injected EOS wallets with malicious codes which instantly activated the funds’ transfer function, which tricked the wallets into matching every transaction with an equivalent amount of cryptocurrency from its operational wallet. The cycle involved hackers sending transactions among themselves to elicit the wallets’ generation of cryptocurrency.
The illegal transactions were executed rapidly, depleting the EOSBets holdings in less than a minute. Each transaction is deemed to represent another 500 EOS entering the kitty of the hackers.
More Knocks for EOS
Barely few days after EOSBet’s self-acclamation of being the safest of its kind, hackers took advantage of a security flaw in its smart contract to loot 40,000 EOS (around $200,000). While trying to douse the enormity of the loss, a spokesperson of the company described it “a minor incident.” HardFork, which reported the hack quoted the spokesperson stating:
“A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll, (..) this bug was not minor as stated previously, and we are still doing forensics and piecing together what happened.”
The company said the dApp had been taken offline to “figure out exactly what happened” and the bug which caused the “faulty assertion statement” in the code has been identified. The company maintained that the code had been audited ‘extensively’ by its development team and “multiple independent third parties.” They then promised to “harden” their security measures.
With the latest attack coming within the space of a month, the public trust is bound to wane. Hackers seemed to have exploited the transfer function just like they did during the first attack. The sake hash being used did condition the system to transfer huge amounts of EOS over again illegitimately. Seen as a knock on the developers of the code, which had been supposedly audited, many in the community will be left to wonder if the company can take proactive measures to prevent future attacks.
Hackers and Gambling Portals
In 2009, hackers allegedly connived with an insider in Israel’s Sports Betting Council to introduce a program into the council’s mainframe computer. The program was aimed at gaining access into a database of some 400,000 subscribers to the Toto lottery which was being managed by the Betting Council. The program would have given hackers the opportunity to threaten subscribers to make them forfeit their winnings.
An inquiry into the case revealed the complicity of many functionaries within the corridors of the organization. The story was kept under covers to avoid a scandal that could put a number of ministries in a bad light before the general public.
1 Comment
This is a coding error, not a vulnerability. Nice spin.