Exploited Alarm Clock Smart Contracts on Ethereum: The Developing Story

Blockchain security firm PeckShield published details of a new transaction fee refund exploit on the TransactionRequestCore smart contract belonging to the Ethereum Alarm Clock project.

At press time, about 24 hackers had seen to rob The owner of the transaction by calling the transaction cancel function.

smart contract refund expired

The transaction fee then sent to the caller was much higher than the owners of the original transaction would have if they requested a refund.

As can be seen above, the purpose of the cancel function is to calculate the owner’s gas cost and add a constant amount of 85,000 to that amount to return them.

Source: Supremacy Inc.

As a result, the hacker does not need to use more than 70,355 in gas to receive a refund in excess of the original transaction fee. After that, they can pocket the difference.

Accordingly, one Twitter user, pyggie9, tweeted:

According to PeckShield, 51% of the bloated refunds are paid to miners as profits, thereby increasing their miner extractable value (MEV). So far, one of the beneficiaries has been an Ethereum validator using liquid staking pool Lido Finance. Etherscan data shows that the validator allegedly received $158,000 (121 ETH) from contract 0xbb1d6b3be1396a4b5ccb8d061b302250bb2b73fd on block 15,782,459.

According to security company Supremacy Inc., hackers have stolen 204 ETH so far.

Miner extractable value refers to the miners who arrange transactions in blocks to maximize their profits. An accepted method of improving MEV returns is through mover/block-builder separation. A proponent in the Ethereum virtual machine can earn a decent amount of money for sending Blockspace to a group of trusted block builders.

alarm clock operation

The Ethereum Alarm Clock Project consists of Ethereum transactions that are due to occur at a future date. Transactions can be scheduled by people or smart contacts. Additionally, EAC will enable timenodes to call transactions during a certain time frame.

The TransactionRequestCore smart contract involved in this latest exploit is four years old.

According to a recent report by research firm Token Terminal, it is not easy to fix smart contract exploits.

This hack is still active, and updates will be added soon.

be for[In]Latest Bitcoin (BTC) Analysis of Crypto, Click Here


All information contained on our website is published in good faith and for general information purposes only. Any action taken by readers on information found on our website is strictly at their own risk.

Source link

Leave a Comment