Explorer, Wallet, and Network monitor all in one. Easy, Fast, and Clean

Explorer, Wallet, and Network monitor all in one. Easy, Fast, and Clean

In the last 24 hours the gambling dApp EOSPlay has been attacked by some EOS accounts that managed to exploit a weakness on the smart contract and steal approximately 30,000 EOS.

Although the attacker used REX to have more resources for his transactions, the EOS network worked perfectly as it should have. The weakness was only within the EOSPlay smart contract, which used an unsafe method to calculate random numbers.

What the attacker did (by Dexaran):

Rented a huge amount of resources (CPU and NET) on the Resource Exchange (REX) Staked rented resources for (1) himself and (2) attacked contract. Congested the network, therefore CPU cost spiked. Initiated some transactions to the attacked contract. Won a lot of EOS in gambling DApps.

What was EOSPlay weakness?

Apparently their smart contract used the hash of the EOS blockchain to calculate the random number used on every game. By sending deferred transactions, the attacker managed to check the block hash and therefore predict the outcome of EOSPlay's future random numbers. Once the number was predicted, he was able to block all non-winning transactions, and allowing winning transactions to be broadcasted.

As soon as the EOSPlay team realized what was happening, they managed to disable their smart contract operations. By doing so, they were able to secure the rest of their funds on their main EOS account eosplaybrand, which now has approximately 150,000 EOS.

In all this however, the EOS mainnet worked as it should have. The attacker bought his resources on REX because it is the most efficient and economical way to proceed, and every REX staker received their share.

Dan Larimer himself expressed his opinion on the matter: https://twitter.com/bytemaster7/status/1172820931317850112

Read Dexaran 's article on the event: https://medium.com/@dexaran820/eos-congestion-9-13-2019-and-eosplay-hack-cbafcba2d1dc