Early morning on 10/31, online media reported that gambling platform EOSCast was attacked by hackers and lost more than 70K EOS tokens. Blockchain security company PeckShield followed up, analyzed blockchain data, and found out that starting from 00:15, hacker “refundwallet” attempted to attack EOSCast contract “eoscastdmgb1”, first used “Fake EOS attack” 8 times but failed, then used a variant of Fake EOS transfer attack for 9 times and succeeded.

“Fake EOS transfer attack variant” details

Fake EOS attack first appeared on EOSBet platform. Generally speaking, hacker creates an EOS token and name is “EOS”, then transfer large amount of these fake EOS tokens to a contract. Because the attacked contract may not check the issuer of the tokens, it regards them as real EOS tokens, calls the ‘transfer’ function in the contract, and rewards the hacker according to its game rules. The key to the success of this fake EOS attack is that the attacked contract does not check the received token issuers’ contract name.

This time when the hacker targeted EOSCast game contract, he/she first tried “Fake EOS attack”, hacker “efundwallet” issued large amount of fake EOS tokens, then transferred 100 tokens per transaction to game contract “eoscastdmgb1”. But EOSCast contract has a limit to EOS system contract (eosio.token), so the attack didn’t succeed.

Then the hacker changed strategy, using a variant of “Fake EOS transfer attack”, by calling the “transfer” function of the game contract. Because “eoscastdmgb1” contract did not check the caller of the transfer function, so the hacker could write a fake transfer notice into the function. The input parameter is “90558c86a7a997ba100e93296383305500e1f5050000000004454f530000000023656f73 63617374646d6762312d6269672d6f64642d5b5d2d5b5d2d5b5d2d5b5d2d5b5d” and the JSON parsing result is as follows. The transaction details are shown in Figure 1.

	"args": {
		"from": "refundwallet",
		"to": "eoscastdmgb1",
		"quantity": "10000.0000 EOS",
		"memo": "eoscastdmgb1-big-odd-[]-[]-[]-[]-[]"

Figure 1: Attack Transaction Details

Therefore, the attacker used fake parameter calling the transfer function, without doing actual token transfers, pushed an EOS transfer notice to the game contract, and the contract rewarded the attacker as if real EOS tokens were transferred to it. Also worth to mention is that, just like the Fake EOS attack, the attacker also encrypted the input parameter of the transfer function to prevent EOS browser tracing, as shown in Figure 2.

In about 4 minutes (4 games), the attacker used “Fake EOS transfer variant” 9 times, and according to the game rules, the attacker was awarded 198, 9,800, and 19,600 tokens, etc. During the last attack, the game host noticed the attack and moved the remaining 8000 EOS tokens out. Overall, the hacker obtained 63,014.1 EOS tokens.

Figure 2: Transfer Function Input Parameter is Encrypted

After the attack

After hacker “refundwallet”’s attack, at noon time on 11/1, Peckshield blockchain situation monitoring platform detected, account “xobkwdiifget” tested many EOS games, and till 15:43, it attacked 168 EOS games. Luckily the game contracts need the function caller to fill a self-defined memo information, but the attacker contract used a empty memo input, so it never succeeded in the attacks even some game contracts may have the loophole. Therefore, with increasing frequency of these type of attacks, they are threatening the EOS DApp ecosystem, and Peckshield would like to remind the game developers about the risk.

Suggestion about the fix: After receiving a function call, make sure first to check if the EOS transfer contract is “eosio.token”, and also check if the callee is “transfer” function: if((code == N(eosio.token) && action == N(transfer)) || ((code == self && action != N(transfer))

About us

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires (including the need for smart contract auditing), please contact us at telegram, twitter, or email.


02 November 2018