Just days after mocking EOS-based gambling platform DEOSGames for being hacked, EOSBet Casino’s dice gaming dApp – EOSBet Dice – was itself hacked. By exploiting vulnerabilities in the platform’s smart contracts, the hacker was able to siphon off roughly 44,400 EOS – worth more than $240,000 at current market prices.
EOSBet Left with Egg on Its Face – and a $240k Lighter Wallet
EOSBet is learning firsthand that karma is a right b*tch. Just days after taking to Twitter to mock competitor DEOSGames for being hacked, EOSBet found themselves in similar straits.
On September 14, at approximately 3:00 am UTC, a hacker going by the pseudonym aabbccddeefg exploited a vulnerability in EOSBet Dice’s smart contracts and managed to steal a reported 44,427.4302 EOS from EOSBet’s operating wallet. At current market prices, the theft is valued at over $240,000.
An EOSBet spokesperson confirmed the hack, stating:
A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll. […] This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.
Following the hack, EOSBet took its dice dApp offline while they attempted to ascertain exactly what happened.
According to Hard Fork, Redditor u/thbourlove was the first to share the discovery of the vulnerability, which allowed the hacker to call EOSBet’s ‘transfer’ function externally, using a fake hash. In a detailed explanation of the hack on Reddit, EOSBet explained that the exploit essentially allowed the hacker to place bets on the platform without having to transfer EOS to the contract. The hacker incurred no losses on a losing bet but a winning bet paid out real EOS from the contract, which he or she then withdrew.
In this particular instance, 23 transactions sent varying amounts to the hacker’s account in the span of less than five minutes:
After patching the vulnerability, EOSBet was able to get the dice game back online that same day.
What are your thoughts on the EOSBet hack? Is it something that could have been avoided and if so, how? Let us know in the comments below.
Images courtesy of Shutterstock, Twitter, Bloks.io