Blockchain hustler beats the house with smart contract hack

A wily hacker has scored a thousand dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain.
EOS is a blockchain-based cryptocurrency launched by Block.one, and it is a competitor to the more established Ethereum.
Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.
Smart contracts can do similar things to more conventional programs on the regular internet. They can run ecommerce sites, digital currency exchanges, and games. In this case, a Maltese company called DEOS Games was using the EOS blockchain to run a gambling game.
Customers send a quantity of the EOS cryptocurrency over the network to DEOS smart contracts running Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, it sends them their winnings and their original stake.
These blockchain betting shops use cryptographic techniques to prove that the contracts are fair and that they’re not just taking your money. In fact, DEOS goes so far as to promise “no house advantage”. That couldn’t have been more true in the case of runningsnail.
Runningsnail is an EOS user who figured out a way to hack a DEOS smart contract, and thanks to the wonder of the EOS block explorer – a system that lets people see transactions on its blockchain – the internet got a front row seat.
On 9 September, the user’s account shows several small transactions in which DEOS Games sent winnings to runningsnail, beginning at 6:24am west coast time. These continued for a few minutes, culminating in a transaction of 16.4 EOS at 6:32am. This was just a warm-up before the fun really started.
Shortly afterward came a series of similar transaction exchanges. Runningsnail would transfer 10 EOS to thedeosgames, and would promptly receive 197 EOS in winnings. This happened 24 times, for a grand total of 4728 EOS, not including the first few exploratory transactions. Given the price of EOS at the time of the heist – around $5.13 – that means runningsnail stole about $24,250.
DEOS Games confirmed the hack the next day:

We are back up and running with EOS game for last 6+ hours. Yesterday, we got a malicious contract exploit our contract. it is a good stress test and we got significant improvements on contract level. Keep doing what we do, remember we are still in beta!

— DEOSGames (@DEOS_Games) 10 September, 2018

This highlights a problem with smart contracts. Unlike other software, which deals with symbols representing money, the data that they send around the network is actually money. When it’s sent, no bank has to follow up and settle it later. It’s gone, whisked off to someone’s anonymous account – whoosh – and you don’t get it back. So the stakes are high when dealing with security flaws in smart contracts.
Runningsnail’s smart contract interacted with the DEOS Games contract, but included malicious code that made the DEOS contract do something it shouldn’t.

This isn’t the first time that hackers have used one smart contract to attack another.
The most famous hack hit the Decentralized Autonomous Organization (DAO), a company set up in 2016 to function entirely using smart contracts which would handle all the back office tasks normally taken care of by lawyers and admins. People bought tokens based on the Ethereum network’s cryptocurrency, Ether, that gave them the right to vote as part of the DAO, enabling them to vote to fund different entrepreneurial projects.
Unfortunately, someone exploited a series of vulnerabilities in the smart contract and siphoned off around $55m in Ether into another address. This posed a crisis for Ethereum, which ended up having to break a cardinal blockchain rule and commit to a hard fork so that it could invalidate the transaction. This effectively rolled back transactions on its blockchain, as though they had never happened.
Blockchains are supposed to be immutable, and playing God in this way is a big deal. It split the community, and some people were so sore about it that they set up Ethereum Classic, another version of the network that didn’t acknowledge the hard fork.
There have been many more smart contract exploits since – all easily trackable via block explorers. However, while you can see the hacks taking place, you can’t easily link the account name to who’s behind them. It’s like watching someone rob a bank in disguise and not being able to do a thing about it.
Programming is hard, and programming smart contracts is no exception. Expect to see a lot of this sort of thing in these early days of blockchain-based applications.