Smart contracts on two EOS gambling platforms have been hacked in the last four days to the tune of more than a quarter of a million dollars, with another platform paying out $600,000 to one user in an unusual-looking jackpot which EOSBet insists was simply luck.
DEOSGames Hacked — $24,000 Stolen
We are back up and running with EOS game for last 6+ hours. Yesterday, we got a malicious contract exploit our contract. it is a good stress test and we got significant improvements on contract level. Keep doing what we do, remember we are still in beta!
— DEOSGames (@DEOS_Games) September 10, 2018
The first and more minor hack occurred on Sept. 9 when a DEOSGames user named runningsnail went on what appeared to be quite the winning streak, with $1,000 payments made dozens of times. The user would deposit 10 EOS and then win the jackpot 30 seconds later, like clockwork, a suspiciously-automated process which can be seen here in the user’s eosflare account overview.
DEOSGames confirmed that its smart contract had been hacked, spinning the malicious exploit as “a good stress test” in a short statement released on social media.
EOSBet Hacked — $236,000 Stolen
Yesterday, /u/EOSBetCasino released a statement on Reddit explaining the nature and scale of a smart contract hack resulting in a major loss of funds.
“Dear EOSBet Community,
On September 14th around 3:00AM UTC we experienced a hack and breach of our bankroll, resulting in a theft of 44,427.4302 EOS before our contracts were taken offline by the development team. The remaining 463,745 EOS in our EOSBETDICE11 and EOSBETCASINO contracts are safe, the vulnerability is patched, and we are back online. We want to be as transparent as possible in explaining this breach and addressing any concerns the community might have.”
The hacker exploited a flaw in the code that allowed them to bypass the esio.token ->transfer function, which meant that their funds were not deposited to the smart contract. Whenever they lost, they didn’t have to pay, but if they won they would win real funds which could then be cashed out, essentially allowing them to gamble in a consequence-free casino dishing out free money.
The team posted the section of code that was vulnerable for inspection and went on to explain what had been changed and for what reason, a move that was met by praise from several of the users on Reddit. Others were not so forgiving, with one user mocking the skill of the team and the third-party auditors they claim to have hired in a section of the team statement, which read:
“We take security very seriously at EOSBet. Our code was audited extensively by our development team and multiple independent 3rd parties.”
Did a Third EOSBet hack take place?
This statement comes days after a user on the same platform won $600,000 in a series of consecutive wins which took place in which the user repeatedly doubled their money in a series of dice rolls over the course of 36 hours. The incident was suspicious enough for The Next Web to characterize it as a hack, but EOSBet have since claimed that there was no code exploit and that the user was simply lucky, something which is currently being investigated.
Images from Shutterstock