King of the Ether Smart Contract

When smart contracts run out of gas things can start to go wrong.

February 2016, a dApp game called King of the Ether (think: king of the mountain but you pay extra Ether than the current highest to be at the top) raised a security vulnerability which allowed someone to cheat their way to be king.

The way this exploit was achieved is relatively simple. Firstly, a smart contract sends the KoTE contract enough to become the new king although with only 2300 gas (the bare minimum).

Not from the KoTE contract, just an example of what was going on.

The problem with using send() is that if it fails due to not having enough gas then no errors are thrown and the code continues to execute.

In the case of KoTE, after a new king had paid the new price to become king, the previous king would be compensated through the send() method. However, since there wasn’t enough gas the previous king lost his compensation and the new king was set in the contract.

A solution to this by the Ethereum community has been to favour pull over push payments. What this essentially means is that rather than smart contracts directly paying a wallet (pushing a payment) they should instead notify the wallet/user and they then collect the ether (pulling the payment). Referring back to KoTE, a simple event that told the previous king they had been outbid could then allow them to manually query the smart contract and collect their compensation.