TL;DR On September 11th 2019, I stumbled upon FairWin.me, a suspicious and busy project on Ethereum responsible for $1.5m worth of gas usage in the last 30 days. In the following three weeks, I reached out to various members in the community and we discovered the following:
- Current contract contains a critical vulnerability
- $8 million worth of ETH stored in contract could’ve be stolen by admins
- Contract is filled with bugs and poor coding practices
- Pictures and emails on website are fake
- $250k was drained in a previous version of the contract
On September 26th, we decided to disclose the presence of vulnerabilities publicly, when the contract held close to 50k ETH (~$8m). On September 30th, 4 days after the disclosure, the contract held 0 ETH. In total, the contract received 687,598 ETH (~$125,000,000) before the Ponzi scheme collapsed.
This is a short blog post detailing our journey to take down FairWin and is a collaborative work between me, Daniel Luca, Harry Denley, Griff Green, Oleksii Matiiasevych, David Wolever, Taylor Monahan and many others, some of which who preferred not being mentioned.
The Abridged Journey
This is a brief history regarding the discovery of the vulnerabilities, their disclosure and the collapse of the FairWin empire.
The Stumble (11/09/2019)
18h: I took a look at the website and thought it looked suspicious, especially considering the nature of the project. Turns out the team section is fake :
19h: I took a look at the contracts to see why they were using so much gas and if they were secure. Not surprisingly, the contracts are filled with typos and bugs:
The Original Hack (12/09/2019)
21–23h: After day of work and nice dinner, I started looking for an exploit. So far, I haven’t been able to find one, but I found out that an earlier version of the contract was drained for 2,662 ETH on July 27th.
Looking at the exploiter’s address for the old exploit, it’s pretty easy to find out who it was and I therefore reached out to him, curious as to where he first heard of this project. Daniel Luca is actually a security auditor from ConsenSys Diligence!
Turns out the old contract had a public method
sendFeeToAdmin(amount) that could send any amount to one of the owner’s address and this is how Daniel emptied the contract (not to his benefit).
Daniel actually found this older contract and its vulnerability with a tool he made called Karl, which monitors smart contracts deployed on Ethereum and test them for vulnerabilities. While this was fixed in the latest version of the contract, admins still had the possibility of emptying the contract, enabling them to drain the contract when they pleased (they decide who gets the rewards and how much). Good thing we don’t know who they are.
Went to bed not long after contacting Daniel since he is based in Romania and was most likely sleeping at the time.
The First Contact (13/09/2019)
2 AM: He replied:
8 AM: Me and Daniel Luca exchanged a few messages and decided to collaborate to bring this case to light. We contacted some Huobi contacts after noticing many addresses investing in FairWin got their funds from there.
The Huobi Silence (14/09/2019)
I went to a cottage for the weekend and we got no replies from Huobi’s contact.
The Discovery (15/09/2019)
Still no replies from Huobi and we start discussing about publishing a blog post and try to raise awareness within our own community, until …
18h: I found an exploit. Turns out one can front run users before they deposit, steal the invite code they are about to use and when their transaction will go through, the ETH they deposit will be associated with you. This means that anyone can steal the ETH deposited by users simply by front running them. It’s not free and comes with some risks, but it’s not difficult either.
The Preparation for War (15–23/09/2019)
Life and work got in the way early in the week and we decided to reach out to more people to get their opinion. That’s when we got into contract with Griff Green, Harry D. and Oleksii Matiiasevych with whom we formed a chat and discussed what course of action we should take. Harry was hammering Dune Analytics to get important data on FairWin.me contract, Griff helped us getting in contact with various key people and helped coordinating all the efforts while Oleksii confirmed the exploit and looked for further vulnerabilities.
After days of discussing and analysis, we came up with the three following options:
- Do nothing → Later exit scam/collapse (might save money for early investors)
- Announcing the vulnerability → Sooner exit scam/collapse (saves money for those who didn’t invest yet and those who can withdraw in time)
- Front running → Lateish exit scam/collapse (saves money for those who we front run, and those who didn’t invest yet);
By “exit scam” we mean that the admins could potentially take out all ETH from the contract if they wish so and by “collapse” we mean when there are not enough funds in the contract to cover all withdrawals initiated by users.
The Army Grows (24–25/09/2019)
We started disclosing the vulnerability to more people in the community, mainly people involved with Ethereum related security. Consensus emerged around a progressive disclosure of the vulnerability and not taking any action.
The Scam Exposed (26/09/2019)
We decided to disclose the presence of vulnerabilities without giving too much details regarding the vulnerabilities.
21h45 EST: We mass disclosed the presence of vulnerabilities publicly.
At this time, the contract contained close to 50k ETH (~$8m) in it. It takes between 5–6 days after a user deposited funds before they are enabled to withdraw their funds, but could take longer for all funds to be withdrawn.
The Exploits Explained (29/09/2019)
At this time, the contract held about 19k ETH (~$3m), a significant decrease. Clement also reached out directly to FairWin team, whom replied publicly that there was no vulnerability nor could they steal users funds (both claims are false of course).
The Collapse (30/09/2019)
The contract is now completely empty. This was much faster than I personally anticipated. Unfortunately, many people tried to withdraw their funds unsuccessfully, with the latest valid withdrawal being this transaction.
Was the contract exploited?
We looked for whether the contract has been compromised by the FairWin team itself or third parties. While we found no evidence of the front-running vulnerability having been exploited, we cannot yet rule out that the FairWin team did not act maliciously in the last few days. Indeed, since they effectively choose who is allowed to withdraw and when, it’s possible they favored some accounts over others in the last few days, possibly addresses they control. More investigation is required to determine if this was the case (if you are looking for a fun project, you should take a look yourself).
The main exploit would’ve allowed a front runner to steal the funds of a user about to invest in FairWin. Basically, every time a user “invest” in the contract (calling the
invest() method), they provide an “inviteCode”. This inviteCode is then mapped to the first address using the code and all further investment providing that code will belong to the first address that used it. Hence, if someone is about to invest 10 ETH, a front runner can use the same code as them, invest 1 ETH right before the 10 ETH investment tx is included and now the front runner will be able to withdraw 11 ETH after a small period of time.
You can refer to Clement’s excellent post for more details on how this exploit work and how the admins could’ve drained the contract.
Bonus: Here’s another excellently awkward video posted by the FairWin team the day after the vulnerabilities allegations were out. That video only stayed a few days on the website before being taken down, but Harry managed to save it and upload it for our pleasure:
Special thanks to MyCrypto for helping with the investigations and blog post, Dune Analytics for the tool to analyse the contract and the many people that provided feedback, suggestions and data; Ameen Soleimani, Samczsun, Marshal Webb and all others that I forget to mention.