Thieves have exploited another vulnerability in the automated dice game, allegedly taking at least $338,000 from its operational wallets.
By injecting standard EOS accounts with malicious code, digital baddies appear to have tricked its smart contract into mistakenly crediting their accounts with large amounts of cryptocurrency.
Shown below are three transactions thought to be illegitimate. They detail one of the attackers accounts (“ilovedice123”) siphoning 65,000 EOS ($338K) directly to a major cryptocurrency exchange.
The EOSBet team is yet to reveal the full extent of the damage, but a block producer did confirm developers have since patched the platform.
EOS wallets injected with code
Hackers added malicious code to their EOS wallets, causing a targeted account to instantly grant attackers with cryptocurrency every time they sent transactions between themselves.
In this case, the code activated EOSBets‘ “transfer” function, tricking it into matching every EOS sent with equal amounts from its operational wallets.
Here, we can see the dodgy transactions happening rapidly, draining a significant chunk of EOSBets‘ holdings in less than a minute. Each transaction is thought to represent another 500 EOS gained by the thieves.
Just a month ago, hackers stole $200,000 from EOSBet by exploiting a different security flaw in its smart contract. Only days earlier, its developers had declared their platform to be the safest of its kind.
Well, after that incident, EOSBet promised the code had been audited “extensively” by its development team and “multiple independent third parties.” They then pledged to “harden” their security measures.
Let’s see if a further $338,000 in losses inspires some more drastic changes.
Craving more blockchain? Join us at Hard Fork Decentralized, our three-day event in London. We’ll discuss the industry’s future together. You can now register on our website!
Published October 15, 2018 — 13:38 UTC