EOSBetCasino, the creator of the gambling platform that made the news yesterday, has come forward with more details about the hack. Some 44,000 EOS (EOS) were stolen by a hacker who exploited a vulnerability in the code. However, as revealed by EOSBetCasino, the vulnerability was entirely in the code of the smart contract itself, and not due to any flaws in the EOS blockchain. The vulnerability has since been patched.
Vulnerability in the Code
On September 14th a hacker managed to steal 44,000 EOS from EOSBetCasino, a gambling dApp on the EOS blockchain.
A flaw in the code of the gambling contract allowed the hacker to place bets without putting any of their own tokens on the line – losing nothing on failed bets, but collecting earning on wins.
The vulnerability was old, and has been exploited in similar dApps before, although never on this scale. When the hack was discovered the contract was immediately taken down and the vulnerability patched out.
Although 44,000 EOS represents a significant loss to EOSBet, 463,000 tokens remain on the gambling platform, which is once more active and available to play on. EOSBet also promise that they will take security even more seriously going forward, with two independent third party audits of their code, as well as more extensive internal code reviews – a process which will be facilitated by expansions to the development team.
There are also plans to include an automatic emergency break, which will freeze the contract if drastic drops in the internal wallets are detected. Lastly, over time EOSBet will be open sourcing their dice roll smart contracts, at which point every part of the code for the gambling platform will be available for public scrutiny.
EOS not to Blame
When the news of the hack first broke, there was some confusion as to the nature of the vulnerability, and in typical tribalistic fashion many members of the crypto community assumed it was the code of EOS itself that contained the vulnerability.
Since the launch of its mainnet in June of this year a number of bugs have been discovered, however almost all of them were found by bounty hunters and neutralized before any malicious actors could exploit them – the main exception being the RAM stealing hack that was discovered in August.