Major Hacking Exploit steals $260,000 from EOS Gambling Platforms
Two gambling platforms that work using ESO smart contracts have fallen prey to a malicious hack in the previous days. The result is the theft of more than a quarter of a million USD. Additionally, another EOS platform paid out a jackpot of $600,000 recently. This is also raising suspicions in the light of the mentioned events, even though the game’s organized, the EOSBet, claim that the jackpot is legitimate.
The smaller of the hacks supposedly took place on September 9, when a user by the name of runningsnail went on an apparent winning streak. He attained $1,000 payments over a dozen times. The user repeated the process of depositing 10 EOS and winning a jackpot 30 seconds after that. Soon, it began to be clear that the process is most likely automated and had nothing to do either with luck or ordinary human players.
DEOSGames later confirmed that its smart contract, like those used by the ethereum network, has been compromised. The short statement on social media tried to use the situation and label this incursion as a good stress test. Even if it was, it was certainly costly for the organisers.
The Costly Hack of EOSBet
A few days later, EOSBitCasino came out with a statement on Reddit that explained the hack of the smart contract. This one, unlike the first incursion, resulted in the theft of a $236,000. The casino explained that the hack breached the app’s bankroll and extracted over 44,000 EOS. At that point, the team of the digital casino took off the contracts.
The contracts of the two apps, EOSBetDice11 and EOSBetCasino, still hold 463,000 EOS and these are, according to the casino, safe. The casino claims that the vulnerability has been patched and that the contracts are back online. Now, the casino wants to be as transparent as possible about these breaches and it will work hard on addressing any community concerns.
The Mechanics of the Hack
The attack exploited a coding flaw that allowed it to bypass the esio.token and its transfer function. This meant that their funds had not been deposited to the regular casino smart contract. This equated to their losses being free and their winning providing real funds that the attackers could then cash out. Essentially, they allowed the casino smart contacts to provide them with free money.
The community reacted positively to the casino’s decision to explain the exact nature of the vulnerability and the process of mending it. Others, however, underlined that the ESOBet code was audited by both the team that made it and third-party contractors. Clearly, this issue slipped under the radar for all of them and this ended up being very expensive for the game operators.
Possible Third Hack
These developments are troubling because days after the events, a user managed to win more than half of million of USD. The user doubled their bet using dice rolls again and again during a day and a half, which resulted in a winning streak of $600,000. Some external observers soon enough characterized this event as a suspected new hack.
Yet, EOSBet has claimed that there had been no code exploit of any type. Instead, the casino is saying that the user had been incredibly lucky, even though an investigation is ongoing and its results might point otherwise.
Whatever the third and biggest even might be, there is no doubt that the first two had been malicious exploits. While users themselves did not lose any of their funds, the incident shows that the individual crypto gaming domains, like EOS here, can easily end up in hot waters.