A savvy player at a cryptocurrency casino has walked away with a cool $110,000 by exploiting a flaw in the programming of a smart contract of a gambling application. The gambling application in question, EOSPlay, is hosted on the smart contract, blockchain-based network EOS. The attacker essentially overloaded the network, which allowed them to generate winnings with zero risk. Literally each roll of a dice was a guaranteed winner!
As reported in the cryptocurrency news publication Crypto Slate, the EOSPlay vulnerability was discovered in mid-September. The attacker used a second EOS application to facilitate the hack. The service used, EOS REX, is a computing power lending service. Users stake EOS tokens in exchange for RAM and CPU power to use of the EOS network.
By staking more than any other EOS REX user, the attacker was able to fill blocks on the blockchain with their own transactions, thus grinding the network to a halt. With the network impaired, they were able to exploit the EOSPlay gambling application to the tune of $110,000. A developer for the EOS REX commented:
“Everyone basically gets locked out unless they have more EOS staked than the attacker.”
In order to lock everyone out, the attacker had to outbid the other users. They staked around 900,000 EOS tokens to achieve this. They also had to make a few other transactions to setup the attack and trick the contract into paying out. This cost them a total of $1,200 at the EOS price at the time.
The report in Crypto Slate states that it would have been very difficult for the developers behind EOSPlay to disable the exploited smart contract. This means that it can still be exploited with just a few thousand dollars staked on EOS REX.
One anonymous developer working on the EOS protocol said at the time said that it was possible that other applications on the EOS network were impacted by the flaw in the EOS REX system too.
More recently, a second gambling application hosted on the EOS network fell victim to a similar scam. This time, PeckShield’s DAppShield – a service intended to spot irregularities in blockchain systems – detected that a hacker was able to exploit the application called SKR for around $12,000 worth of EOS. The scary thing is that there may be more exploits in hundreds of real money online casino games.
It is important to note that the EOS network itself was not compromised by either attacks and users funds held away from any of the applications involved will definitely not have been impacted by these smart contract flaws. Dan Larimer, an EOS developer, confirmed that the network itself was neither damaged nor compromised by the attack:
“EOS is operating correctly. This is no different than when attackers flood eth or bitcoin with high fee transaction spam. The network didn’t freeze for token holders, there was just no extra bandwidth available for free use.”
However, such incidents serve to remind users of the serious considerations that need to be made with so-called programmable money in the form of smart contracts.
When creating smart contracts, such as those used in gambling applications (and every other decentralised application on blockchain networks like EOS), potential attack vectors increase exponentially with each layer of complexity. The more interest an application attracts (and therefore more money stored in a smart contract), the more appealing it is for an opportunistic hacker to attempt to exploit it. The EOSPlay application is actually one of the most popular decentralised applications on any blockchain network to date. With hundreds of thousands of dollars locked up in its smart contracts, it is little surprise to see it fall victim to such an exploit.
It is not like such exploits are anything new and the casino examples here will likely not be the last either. In fact, one of the very first major smart contracts was destroyed through an exploit. In Ethereum’s very early days, an effort at creating a decentralised autonomous organisation (DAO) failed spectacularly with hackers making off with around $70 million worth of ETH tokens in 2016. This incident actually caused the Ethereum network to hard fork to return investors’ funds. Many argued that such a policy was exactly what blockchain currencies were intended to prevent against. Those Ethereum miners and developers supporting that view continued to mine the original chain which did not include the roll back, and by doing so created what is now known as Ethereum Classic (ETC).