Gambling DApp EOSCast Hacked, More Than 60,000 EOS Stolen
A hacker account named “refundwallet” attacked EOS gambling DApp EOSCast’s contract (eoscastdmgb1) in the early morning of October 31.
Through a number of “fake EOS transfer variant” attacks, the hacker managed to steal a total of 63,014.1 EOS from the platform, according to data analysis from PeckShield, a blockchain security company.
“Fake EOS” Attack Gets More Sophisticated
The “fake EOS” attack was first seen on well-known decentralized gambling platform EOSBet.
In a “fake EOS” attack, the attacker creates an EOS-like token and names it “EOS”. After that, the attacker transfers a number of fake EOS tokens to the attacked contract account. The platform contract, however, fails to check the issuer in the transfer, enabling the attacker to scam a hefty sum in rewards from the game platform.
But this time, EOSCast suffered a “fake EOS transfer variant” attack—a more sophisticated version of a “fake EOS” attack. The hacker, “refundwallet”, tried to attack the EOSCast contract using “fake EOS”, but after a number of failed attempts resorted to a more advanced scam.
In this way, the hacker, without any transfer of fake EOS tokens, fabricated transfer parameters and sent a fake EOS transfer notice to the EOSCast contract. The EOSCast contract misread the transfer as a real transfer of EOS tokens and paid the rewards accordingly.
The hacker attacked the EOSCast account nine times within just four minutes (four rounds of the game), and gained a large number of EOS tokens each time, ranging from 198 to 19,600 EOS. As the 9th attack was discovered, the platform transferred out the 8,000 EOS left in the bonus pool. The hacker managed to gain 63,014.1 EOS from the platform in the end.
After the Attack
Data from PeckShield showed that another hacker account, “xobkwdiifget”, followed suit and attacked several EOS game contracts on November 1. By 3:43pm that day, the hacker had tried to attack a total of 168 contracts, but failed in the end.
According to EOSLaoMao, a variety of accounts were blacklisted shortly afterwards by the EOS Core Arbitration Forum (ECAF), including refundwallet, jhonnywalker, alibabaioeos, whitegroups, 24cryptoshop and minedtradeos. The EOSLaoMao team previously called on developers and users in the EOS community to play by the rules and comply with the EOS Constitution.
Fake EOS attacks have become rampant, posing a huge threat to the DApp ecosystem, making it necessary for DApp developers to think hard about managing potential risks.