Skip to content
Naked Security Naked Security

Blockchain hustler beats the house with smart contract hack

A hacker used their own code to tamper with a smart contract run by a betting company, and walked off with $24,000.

A wily hacker has scored a thousand dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain.
EOS is a blockchain-based cryptocurrency launched by Block.one, and it is a competitor to the more established Ethereum.
Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.
Smart contracts can do similar things to more conventional programs on the regular internet. They can run ecommerce sites, digital currency exchanges, and games. In this case, a Maltese company called DEOS Games was using the EOS blockchain to run a gambling game.
Customers send a quantity of the EOS cryptocurrency over the network to DEOS smart contracts running Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, it sends them their winnings and their original stake.
These blockchain betting shops use cryptographic techniques to prove that the contracts are fair and that they’re not just taking your money. In fact, DEOS goes so far as to promise “no house advantage”. That couldn’t have been more true in the case of runningsnail.
Runningsnail is an EOS user who figured out a way to hack a DEOS smart contract, and thanks to the wonder of the EOS block explorer – a system that lets people see transactions on its blockchain – the internet got a front row seat.
On 9 September, the user’s account shows several small transactions in which DEOS Games sent winnings to runningsnail, beginning at 6:24am west coast time. These continued for a few minutes, culminating in a transaction of 16.4 EOS at 6:32am. This was just a warm-up before the fun really started.
Shortly afterward came a series of similar transaction exchanges. Runningsnail would transfer 10 EOS to thedeosgames, and would promptly receive 197 EOS in winnings. This happened 24 times, for a grand total of 4728 EOS, not including the first few exploratory transactions. Given the price of EOS at the time of the heist – around $5.13 – that means runningsnail stole about $24,250.
DEOS Games confirmed the hack the next day:

This highlights a problem with smart contracts. Unlike other software, which deals with symbols representing money, the data that they send around the network is actually money. When it’s sent, no bank has to follow up and settle it later. It’s gone, whisked off to someone’s anonymous account – whoosh – and you don’t get it back. So the stakes are high when dealing with security flaws in smart contracts.
Runningsnail’s smart contract interacted with the DEOS Games contract, but included malicious code that made the DEOS contract do something it shouldn’t.


This isn’t the first time that hackers have used one smart contract to attack another.
The most famous hack hit the Decentralized Autonomous Organization (DAO), a company set up in 2016 to function entirely using smart contracts which would handle all the back office tasks normally taken care of by lawyers and admins. People bought tokens based on the Ethereum network’s cryptocurrency, Ether, that gave them the right to vote as part of the DAO, enabling them to vote to fund different entrepreneurial projects.
Unfortunately, someone exploited a series of vulnerabilities in the smart contract and siphoned off around $55m in Ether into another address. This posed a crisis for Ethereum, which ended up having to break a cardinal blockchain rule and commit to a hard fork so that it could invalidate the transaction. This effectively rolled back transactions on its blockchain, as though they had never happened.
Blockchains are supposed to be immutable, and playing God in this way is a big deal. It split the community, and some people were so sore about it that they set up Ethereum Classic, another version of the network that didn’t acknowledge the hard fork.
There have been many more smart contract exploits since – all easily trackable via block explorers. However, while you can see the hacks taking place, you can’t easily link the account name to who’s behind them. It’s like watching someone rob a bank in disguise and not being able to do a thing about it.
Programming is hard, and programming smart contracts is no exception. Expect to see a lot of this sort of thing in these early days of blockchain-based applications.


 

6 Comments

Thanks for posting. I’m interested to know why you think this is stealing – or a heist. This is a natural consequence of someone pushing out a buggy smart contract onto the blockchain. Code is law.

This has been a common argument when talking about smart contract hacks. I’m not convinced. People can also launch SQL injections, XSS and CSRF attacks by simply changing code to exploit flaws in programming, but the industry tends to view those as attacks, and any proceeds from their use as theft. When attackers altered a script to steal data from BA’s web site this month, the press commonly described it as stealing. Yet as far as I can see they’re doing little more than simply writing code to exploit other buggy code.
Code is not law. The US Computer Fraud and Abuse Act is the law. Code is simply a tool. In my view, people who misuse it to line their own pockets have agency, and intent, and calling their acts a natural consequence lets them off the hook, morally and ethically speaking.
Or, to put it another way, just because you can do something doesn’t mean you should.

Being a “natural consequence” and being theft is not mutually exclusive. I can get behind the idea that if you publish something easily exploitable that it will be exploited and that you need to expect as much. But that doesn’t mean those that are doing the exploiting aren’t responsible or that they are doing the right thing. If I run around with a see-through case full of money, I shouldn’t be surprised if someone tries to take it. But if someone does take it, they are still stealing it, regardless of how easy it was or how much better I could have kept my money safe.

In many jurisdictions, knowingly exploiting a vulnerability is a criminal offence in its own right – the courts don’t accept the excuse that “there’s an unpatched security hole in a browser so it’s OK to use it to install software – even legit, non-malicious software – in a way that bypasses the controls you would expect.”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?