A bug in the smart contract code of the Ethereum Alarm Clock service has been reportedly exploited, and around $260,000 is said to have been stolen from the protocol so far.
Ethereum Alarm Clock allows users to schedule future transactions by pre-determining the recipient address, the amount to be transferred and the desired transaction time. User needs Ether (ethereum) to complete the transaction and prepay the gas bill.
According to a Twitter post by blockchain security and data analytics firm PeckShield on Oct. 19, hackers were able to exploit a loophole in the scheduled transaction process and profit off gas fees returned from canceled transactions. rice field.
Simply put, the attackers basically called the cancel function of the Ethereum Alarm Clock contract with a high transaction fee. Since the protocol refunds gas fees for canceled transactions, a bug in the smart contract allows hackers to refund more gas fees than they originally paid, and pocket the difference.
“We have seen active exploits manipulating the TransactionRequestCore contract to take advantage of huge gas prices to get rewards at the expense of the original owner. You will get this huge MEV-Boost reward,” the company wrote.
We’ve seen active exploits manipulating the TransactionRequestCore contract to take advantage of huge gas prices for rewards at the expense of the original owner. In fact, the exploit pays miners 51% of the profit, hence this huge MEV-Boost reward. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp
— PeckShield Inc. (@peckshield) October 19, 2022
PeckShield added that at the time, it discovered 24 addresses that were exploiting the bug to collect supposed “rewards.”
Web3 security company Supremacy Inc also provided an update hours later, pointing to Etherscan transaction history showing that the hackers have so far been able to swipe 204 ETH (worth about $259,800 at the time of writing).
“Interesting attack event. The TransactionRequestCore contract is 4 years old and belongs to the Ethereum Alarm Clock project. ” said the company.
2/ The cancel function calculates the transaction fee (gas uesd * gas price) spent on “gas usage” over 85000 and forwards it to the caller. pic.twitter.com/aXyad0oDPv
— Supremacy Inc. (@Supremacy_CA) October 19, 2022
As it stands, we lack updates on the topic to determine if the hack is ongoing, if the bug is patched, or if the attack is over. Yes, and Cointelegraph will provide updates as it develops.
October is generally associated with bullish moves, but this month has been rife with hacks so far. $718 million stolen in hack 2022 has been the month with the most hacking activity.
