- Hackers discovered and exploited a weak point in the smart contract system.
- Three illegal siphoned 65,000 EOS which is approximately $338K.
- Users will be wondering whether EOSBet’s developers audited the code and harden security measures.
Hackers may have discovered a soft target in the blockchain-powered EOSbet gambling dApp, as they have hit again after less than a month – this time hauling away approximately $338,000 in EOS tokens.
EOSBet Attacked Again
The announcement via a tweet said hackers are believed to have discovered and exploited a weak point in the company’s automated dice game EOSBet and siphoned about 65,000 EOS. The criminals inserted a malicious code into the standard EOS accounts making digital baddies trick their smart contracts.
Hackers target EOS gambling dApp once again, $338K believed stolen https://t.co/d7Xx4JCn5S
— TNW (@TheNextWeb) October 15, 2018
The targeted accounts instantly granted the hackers access to their EOS wallets giving the attackers access to cryptocurrencies every time their accounts sent transactions between themselves. The malicious code activated the funds’ transfer function and tricked the wallets into matching every transaction with an equal amount of cryptocurrency from its operational wallets.
A screenshot showing what is believed to be three illegal transactions showed the attacker account siphoning 65,000 EOS which is approximately $338K from a leading cryptocurrency exchange.
The EOSBet team has not yet revealed the full extent of the damage by the time of writing but a block producer confirmed the incident in a statement on Medium, stating that the developers had dealt with the vulnerability. The statement read in part:
“Vulnerability has been discovered in multiple contracts using notifications from other contracts. All parameters from notifications need to be explicitly checked as checking only contract name and action name is not sufficient.”
A Rough Month for EOSBet
Last month, hackers attacked EOSBet, only a few days after it declared itself the safest of its kind and made away with 40,000 EOS which is approximately $200,000, making it over $500,000 in one month. The hackers similarly exploited vulnerabilities in the company’s smart contracts. During last month’s incident, a company spokesperson called it “a minor incident” and stated:
“A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll, […] this bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”
Following the first incident, the company took the dApp offline to “figure out exactly what happened” and reported they had identified the bug that caused the “faulty assertion statement in their code” and promised to work with the developers to fix the problem.
Just like the last time, it appears like the hackers targeted the transfer function again, using a sake hash and could trick the system to illegitimately send huge amounts of the cryptocurrency again. Users will wonder whether EOSBet’s developers actually extensively audited the code and harden security measures as they had promised.