"Fake Transfer Notice" Loophole Details Explained, 140K EOS Tokens Lost by EOSBet
At 10/15 noon time, as reported by IMEOS, well-known EOS blockchain gambling platform EOSBet was attacked, and large amount of EOS tokens was lost. Initial analysis showed that a hacker account named ilovedice123 attacked EOSBet’s contract, eosbetdice11.
Blockchain security company PeckShield detected and monitored this attack in real time. Initially this attack was classified as overflow attack by some folks on the web, but from further analysis by Peckshield security professionals, the hacker actually exploited a loophole in EOSBet contract during money receiving verification – fake transfer notice.
“Fake transfer notice” attack details
A normal EOS transfer, is that sender A, through system contract eosio.token, transfers some EOS to receiver B, then both A and B will receive notices of this transaction. If B also has contract deployed, it can forward this notice to other accounts.
As shown in figure 1, during this attack, the attacker used account ilovedice123 (A) and did a transfer to whoiswinner1 (B). Normally after system contract eosio.token receives the transfer, both accounts A and B will receive notices. But the attacker deployed a contract in account B and this contract forwarded the transfer notice to eosbetdice11 (EOSBet contract), “require_recipient(N(eosbetdice11))”, so EOSBet also received the notice of the transfer from A to B.
The problem is, after receiving the notice, EOSBet contract didn’t check if the ‘to’ in the transfer is actually itself, but simply regarded this as a normal transfer, and credited A according to the game rules. In reality, both account A and B belong to the attacker, and by doing transfers between the accounts, he/she cheated large amount of rewards out of the game platform with no cost.
Same type of attacks from different accounts lasted for days
As monitored by Peckshield, as early as 10/10, account “iwasagoodboy” already used this type of attacks, and gained 345.5 EOS through 67 fake transfer notices. Further tracing detected that, between 10/10 and 10/15, five accounts used this type of attacks, “iwasagoodboy”, “hereisstocks”, “iwanttoloveu”, “ilovedice123”, and “iamthewinnee”. The largest attack among them was started by ilovedice123 on 10/15, and 138,724.325 EOS was obtained during that attack. Media reported it afterward, then through analysis by security companies, the attack itself came to light.
Attacks started by the same ID
The Peckshield blockchain situation monitoring platform found that, between 13:27 and 13:38 on 10/15, ilovedice123 started 10+ large transactions to exchanges, and 72,150 EOSs was deposited into Bitfinex, 65,100 EOSs to Poloniex.
By tracing the money flow from several attacker accounts, Peckshield security engineers found that, after several transactions, the money from the five attacker accounts eventually went to two accounts on Bitfinex and Poloniex. Bitfinex account is (bitfinexdep1) 0aa03fbec9a3b2bec49e97575b506644, and Poloniex account is (poloniexeos1) 9bb2aa5fc22a1bb2. From this, we can conclude these attacks were started by the same hacker. After several small scale trials, he/she started the large scale attack on 10/15.
Our tally shows the attacker overall obtained 145,321.0712 EOS, and moneywise the loss from EOSBet platform is over $700K USD.
PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires (including the need for smart contract auditing), please contact us at telegram, twitter, or email.