An astute hacker has scored a thousand dollar cryptocurrency jackpot, 24 times, using his own code to tamper with an intelligent contract managed by an EOS blockchain betting company.
EOS is a blockchain-based cryptocurrency launched by Block.one, and is a competitor of the more established Ethereum.
Unlike Bitcoin, which uses a blockchain to record digital currency transfer, EOS and Ethereum allow people to run computer programs. These programs are called smart contracts and instead of being executed in one place, they are executed on many computers connected to the blockchain.
Smart contracts can do similar things to more conventional programs on the normal Internet. They can manage e-commerce sites, digital currency exchanges and games. In this case, a Maltese company called DEOS Games used the EOS blockchain to play a game of chance.
Customers send a quantity of EOS cryptocurrency on the network to smart DEOS contracts that execute Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, he sends them their winnings and their original odds.
These blockchain betting shops use cryptographic techniques to show that the contracts are right and that they are not just taking your money. In fact, DEOS goes so far as to promise "no house advantage". This could not have been more true in the case of runningsnail.
Runningsnail is an EOS user who has discovered a way to hack a DEOS smart contract, and thanks to the wonder of EOS's block explorer – a system that allows people to see transactions on his blockchain – the Internet has achieved a place in the first place row.
On September 9th, the user account shows several small transactions in which DEOS games have posted winnings at runningsnail, starting at 6:24 pm on the west coast. These continued for a few minutes, culminating in a 16.4 EOS transaction at 6:32 am. This was just a warm-up before the fun really started.
Shortly thereafter a series of exchanges of similar transactions arrived. Runningsnail would have transferred 10 EOS into gameplay and would have promptly received 197 EOS in winnings. This happened 24 times, for a total of 4728 EOS, excluding the first exploration transactions. Given the price of EOS at the time of the robbery – around $ 5.13 – this means runningsnail stole around $ 24,250.
DEOS Games confirmed the following day:
We are back in service with EOS for the last 6+ hours. Yesterday we got a malicious contract to take advantage of our contract. it is a good stress test and we have achieved significant improvements at the contract level. Keep doing what we do, remember we're still in beta!
– DEOSGames (@DEOS_Games) 10 September 2018
This highlights a problem with smart contracts. Unlike other software, which deals with symbols that represent money, the data sent around the network is actually money. When sent, no bank must follow and resolve later. If he's gone, taken to someone's anonymous account – whoosh – and you do not get it back. So the stakes are high when you face security problems in smart contracts.
Runningsnail's intelligent contract interacted with the DEOS Games contract, but included the malicious code that caused the DEOS contract to do something it should not.
the first time hackers used an intelligent contract to attack another.
The most famous hack hit the Decentralized Autonomous Organization (DAO), a company created in 2016 to work entirely using smart contracts that manage all back office activities normally handled by lawyers and administrators. People bought tokens based on the cryptocurrency of the Ethereum network, Ether, which gave them the right to vote as part of the DAO, allowing them to vote to fund various business projects.
Unfortunately, someone has exploited a number of vulnerabilities in the smart contract and subtracted about $ 55 million in Ether in another address. This resulted in a crisis for Ethereum, which ended up having to break a cardinal blockchain rule and engage in a difficult fork so that it could invalidate the transaction. This effectively rolled up his blockchain transactions, as if they had never happened.
Blockchains should be immutable, and interpreting God in this way is a big problem. He shared the community, and some people were so sore that they created Ethereum Classic, another version of the network that did not recognize the hard fork.
There have been many other exploits of smart contracts ever since – all easily traceable by block explorers. However, while you can see the hacks in progress, you can not easily connect the account name to whoever is behind them. It's like seeing someone rob an incognito bank and not being able to do anything about it.
Programming is difficult, and the programming of smart contracts is no exception. Expect to see a lot of this sort of thing in these early days of blockchain-based applications.