Hustler blockchain beats the house with a clever trick – Naked Security


An astute hacker has scored a thousand dollar cryptocurrency jackpot, 24 times, using his own code to tamper with an intelligent contract managed by an EOS blockchain betting company.

EOS is a blockchain-based cryptocurrency launched by, and is a competitor of the more established Ethereum.

Unlike Bitcoin, which uses a blockchain to record digital currency transfer, EOS and Ethereum allow people to run computer programs. These programs are called smart contracts and instead of being executed in one place, they are executed on many computers connected to the blockchain.

Smart contracts can do similar things to more conventional programs on the normal Internet. They can manage e-commerce sites, digital currency exchanges and games. In this case, a Maltese company called DEOS Games used the EOS blockchain to play a game of chance.

Customers send a quantity of EOS cryptocurrency on the network to smart DEOS contracts that execute Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, he sends them their winnings and their original odds.

These blockchain betting shops use cryptographic techniques to show that the contracts are right and that they are not just taking your money. In fact, DEOS goes so far as to promise "no house advantage". This could not have been more true in the case of runningsnail.

Runningsnail is an EOS user who has discovered a way to hack a DEOS smart contract, and thanks to the wonder of EOS's block explorer – a system that allows people to see transactions on his blockchain – the Internet has achieved a place in the first place row.

On September 9th, the user account shows several small transactions in which DEOS games have posted winnings at runningsnail, starting at 6:24 pm on the west coast. These continued for a few minutes, culminating in a 16.4 EOS transaction at 6:32 am. This was just a warm-up before the fun really started.

Shortly thereafter a series of exchanges of similar transactions arrived. Runningsnail would have transferred 10 EOS into gameplay and would have promptly received 197 EOS in winnings. This happened 24 times, for a total of 4728 EOS, excluding the first exploration transactions. Given the price of EOS at the time of the robbery – around $ 5.13 – this means runningsnail stole around $ 24,250.

DEOS Games confirmed the following day:

This highlights a problem with smart contracts. Unlike other software, which deals with symbols that represent money, the data sent around the network is actually money. When sent, no bank must follow and resolve later. If he's gone, taken to someone's anonymous account – whoosh – and you do not get it back. So the stakes are high when you face security problems in smart contracts.

Runningsnail's intelligent contract interacted with the DEOS Games contract, but included the malicious code that caused the DEOS contract to do something it should not.