Over $200,000 Stolen from EOSBet Gambling PlatformSep 16, 2018, 7:08AM
EOSBet's faulty code allowed hackers to steal $200,000. The attack provides more evidence that many smart contracts still contain critical bugs.
A popular gambling dApp called EOSBet lost 44,427 EOS due to a security issue in its code. Yesterday, it was revealed that the app's smart contracts contained a bug that enabled hackers to make off with about $200,000 worth of tokens. Today, the site resumed service and disabled the faulty smart contracts.
As identified and detailed in EOSBet's official statement, hackers were able to trick EOSBet into giving away EOS tokens by calling the app's transfer function without actually putting in money,
[The bug] allows an attacker to bypass the eosio.token -> transfer function completely, and directly call eosbetdice11 -> transfer. The attacker did exactly this...[and] he was allowed to place bets without transferring EOS to the contract / EOSBet on Reddit
There is also an element of hubris in the story, as there were some warning signs prior to the attack. In a deleted tweet from September 9, EOSBet claimed that its competitors were under attack while implying that they themselves were immune,
DEOS Games, a clone and competitor of our dice game, has suffered a severe hack today that drained their bankroll. As of now every single dice game and clone site has been hacked. We have the biggest bankroll, the best developers, and a superior UI. Play on #EOSBet.
EOSBet was, of course, hacked just days later. It is not clear if the same smart contract was responsible for each attack, but it seems likely that this is the case, given that some of the affected apps are clones of EOSBet.
However, this was not the first attack on EOSBet. A previous hack on the site also allowed attackers to steal RAM (but not funds) in late August. The situation is additionally complicated by a recent $600,000 payout that EOSBet claims was not a hack: "all payouts to the account in question are legitimate – just pure luck."
Although EOSBet's track record does not look good, bugs in smart contracts are a widespread problem. Luckily, various projects are attempting to develop testing and auditing tools, which may reduce the prevalence of smart contract bugs in the future.
Disclaimer: information contained herein is provided without considering your personal circumstances, therefore should not be construed as financial advice, investment recommendation or an offer of, or solicitation for, any transactions in cryptocurrencies.