An EOS-based decentralized app (dApp) has been paying out big time. Betting platform DEOSGames was drained of a significant chunk of its operating funds in a heist that netted one ‘lucky’ punter almost $24,000.
Over less than an hour, a decentralized dice betting game paid its jackpot 24 times to just one individual. Despite depositing just 339 EOS EOS ($1,695), after the lucky streak was over, EOS account “runningsnail” somehow managed to walk away with more than 4,728 EOS (approx. $23,640).
The lucky account was created less than a day before funds were first sent for betting. Tracking relevant transactions via an EOS blockchain explorer, we can see the 197 EOS jackpot, each the equivalent of almost $1,000, being paid to runningsnail repeatedly.
The wins were seemingly automatic. Each and every time runningsnail deposited 10 EOS, the jackpot was paid within an average of 30 seconds.
So far, runningsnail has kept most of his winnings – but we can see that he has started experimenting with some other EOS betting dApps, perhaps looking for another soft target.
DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”
It remains unclear of the vulnerability is unique to DEOSGames, or if it extends to all similar EOS smart contracts. We’ve asked the company for a clarification.
While $24,000 might seem like small change compared to other world-shaking cryptocurrency heists, the prevalence of these small-time hacks is growing. Betting dApps running on EOS, in particular, are being picked apart frequently.
Just a few weeks ago, a vulnerability was similarly exploited in EOSBet.io. In the fallout, its betting dApp was forced offline, and the bug eventually led researchers to find another critical flaw in the EOS blockchain.
The discovery of vulnerabilities in EOS code is a lucrative business in itself. Researchers digging into EOS’ code have collected over $417,000 in bug bounties; for context, the sum represents two-thirds of all cryptocurrency bug bountines on HackerOne this year.
(Edit: This post has been updated to correctly name the betting platform DEOSGames, as opposed to DEOSBet, as was originally reported.)
Published September 10, 2018 — 11:27 UTC