Hacker exploits EOS smart contract to steal $200K from gambling app


1,000,000-dollar EOS EOS gambling dApp suffered a major blow, just days after declaring itself to be the safest of its kind. Hackers have taken 40,000 EOS ($200,000) from the operating wallet of EOSBet by exploiting vulnerabilities in its smart contracts.

“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” an EOSBet spokesperson informed users. “This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”

EOSBet devs have since taken the dApp offline while the devs figure out exactly what happened. A spokesperson does admit that hackers were only successful due to a fault in its code.

“[EOSBet] should be back online relatively quickly. We have narrowed down the bug to a faulty assertion statement in our code.” the EOSBet spokesperson added. “After talking with other developers and BPs, it seems like other games were also attacked using this same exact code (abi forwarder.)”

It appears hackers were able to call EOSBet’s ‘transfer’ function externally using a fake hash. This tricked EOSBet’s system into illegitimately sending a huge amount of EOS. A keen-eyed Redditor was the first to share the discovery. Hard Fork has since corroborated the hack is indeed authentic.

Taking a look at the EOS blockchain, though, we can see some curious events. It seems scammers, inspired by Twitter’s cryptocurrency scambots, have invaded the EOS blockchain with a view to benefit from the present chaos.

Small quantities of EOS have been despatched to the attacker’s account with some threatening messages connected. Utilizing an account identify very comparable to the official EOSBet pockets, somebody is sending seemingly official communication in a bid to seem legit:

The message roughly interprets to:

Memo: Please refund the unlawful revenue eos, in any other case we’ll rent a staff of attorneys in China to pursue all felony legal responsibility and losses to you. Eosbet official eos account: eosbetdicell.

Then, the faux account proceeds to supply a reimbursement service with a view to capitalize on the scenario nonetheless growing. Scammers try to trick customers into believing that EOSBet is reimbursing its prospects for any funds stolen. At time of writing, EOSBet has made no such declarations.

Word, the official EOSBet account is ‘eosbetdice11’, not ‘eosbetdicell’. Fairly sneaky.

One other reads:

Memo: Pricey gamers: With a view to make up for the lack of eosbet gamers within the hacking incident, the platform launched a recharge to ship BET. 1EOS=1BET, the official eos account: eosbetdicell, the switch will robotically give the identical BET.

It stays unclear if at this time’s breach is one way or the other linked to different uncommon exercise going down on EOSBet prior to now few days. Earlier this week, a fortunate gambler claimed over $600,000 from EOSBet, successful 36 consecutive bets.

For what it’s price, on the time, an EOSBet spokesperson was completely adamant that the platform had not been hacked and that each one bets on the platform had been respectable, together with that $600,000.

What a distinction simply in the future makes.

Printed September 14, 2018 — 10:59 UTC

Leave a Reply