A month ago we heard of an attack on the EOSBet gambling app. That time, the hackers exploited a vulnerability in its smart contract to steal 44,000 EOS. Now, a month later, EOSBet has been hacked again. Reportedly, a bug in their smart tokens caused dApp an even bigger blow by stealing 65,000 EOS.
EOSBet Got Hacked Again Due To A Flaw
According to a recent Hard Fork report, the gambling app EOSBet was hacked again due to a flaw in their system. The hackers exploited the vulnerability to pilfer 65,000 EOS, worth around $338,000.
As reported recently, the hackers injected malicious code into EOS wallets. The code tricked the smart tokens of the dApp to credit their accounts wrongly with large amounts. By doing so, they successfully stole about 65,000 EOS worth around $388,000. As reported,
“In this case, the code activated EOSBets’ “transfer” function, tricking it into matching every EOS sent with equal amounts from its operational wallets.”
The suspected hacker account “ilovedice123” then transferred the EOS to another account that supposedly belongs to a major cryptocurrency exchange.
Vulnerability Patched
Soon after the discovery of the incident, EOSBet officially patched the flaw, as disclosed in their Medium post. They have also urged all users to patch this flaw accordingly.
Any contract relying on transfer notifications from eosio.token should add this check immediately: if (transfer.to != _self) return;
If you execute business logic on only incoming transfers, but reuse transfer action for both incoming and outgoing transfers, please use: if (transfer.from == _self || transfer.to != _self ) return;
The present event marks the second hacking incident for EOSBet gambling dApp. Last month, EOSBet lost around 44,000 EOS to hackers who exploited a vulnerability in the platform’s smart contract.