Largest Smart Contract Attacks in Blockchain History Exposed — Part 1

AnChain.ai & SECBIT Joint Research Lab, 2018/08/17


Foreword by AnChain.ai

“APT is the worst nightmare in Cyber Security. How about Blockchain APT? Does BAPT even exist in Blockchain era? What does that mean to all of us?” — AnChain.ai, 20180820

APT : Advanced Persistent Threat: “Stealthy and continuous computer hacking processes, often orchestrated by persons targeting a specific entity.”

“BAPT”, or “Blockchain APT”, is a term proposed by AnChain.ai in August 2018.

The first BAPT hacker group in history, BAPT-LW20 (coordinated crime of 3+ ETH addresses to target Last Winner DApp), was identified by AnChain.ai and SECBIT Lab. As of 20180821, the various identified BAPT hacker groups, BAPT-F3D, BAPT-LW20, etc., are still actively at large exploiting the targeted smart contracts, and have stolen 12,948 Ethereum (~ $4 millions worth).


“Last Winner” (Fomo3D-like copycat) DApp game’s popularity caused Ethereum to be extremely congested, and the cost of Gas skyrocketed. Large amounts of ETH funds are attracted.

1:38 am Aug 10, 2018 Beijing Time / 10:38 am Aug 9th California Time. SECBIT Labs received an alert from the Silicon Valley blockchain security startup AnChain.ai. Her AI-powered situational awareness platform (SAP) issued an early warning message on blockchain: A large number of suspicious transactions were found in DApp smart contracts and there was an abnormal flow of funds. SECBIT Lab team quickly analyzed related smart contracts and transactions based on the clues.

Quietly Launched: Inexplicably Popular “Last Winner”

“Last Winner” is a DApp game based on the Ethereum Smart Contract, which was launched on August 6th. Since game launch, it’s fishy ...

The game contract address is 0xDd9fd6b6F8f7ea932997992bbE67EabB3e316f3C

According to Etherscan, the game contract has generated more than 270,000 transactions in just six days. Even the embarrassment of the Ethereum network was closely related to the Last Winner game. On August 8th and 9th, under the combined effect of the large-scale trading volume of Last Winner and Fomo3D, the number of unconfirmed transactions in Ethereum hit a new high in the year, and the average Gas cost once soared to more than 10 times normal.

The first round of the game has a prize pool of more than 16,000 Ethereum, and the total investment of the player is more than 100,000 Ethereum. The first round of the game has ended, and the second round of prize pools has quickly accumulated to more than 7,000 Ethereum.

But behind the scene …

Fishy Facts: Unknown Sources of ETH Funding

According to the well-known media Blockbeats, “Last Winner” is promoted and operated by a Pyramid selling, a Ponzi scheme organization called “ant colony communication”, with a large number of members and a strong promotion and pull-off ability [1].According to another popular Fomo3D development team, Last Winner is a Fomo3D-like game, and the operations team behind it has prepared 200,000 ETHs for automatic brushing transactions. Therefore, behind the hot Winner game, it may be a well-planned MLM game, initially using robots to initiate bulk trading, forging active illusions, and attracting new leeks to enter.

The Last Winner game contract has a large number of abnormal transactions, and with the creation and self-destruction of a large number of contracts, it deviates greatly from the characteristics of normal human calling behavior, which has caused us to be highly vigilant.

Crazy DApp Mania: Targeting Chinese Market while Contract Code Closed Source

Promotional articles for Last Winner games can be found in major forums, media, and WeChat groups, and these articles have similar descriptions and are accompanied by promotional invitation codes . However, there is very little information in English about Last Winner.

Obviously, this is a game targeting the Chinese market, with an attractive promotion ( Pyramid selling, a Ponzi scheme) reward, so it spread widely on the Internet. This game also has an app for Android and iPhone, which simplifies the use and reduces the barriers to participation.

However, it is very suspicious that as a blockchain game based on smart contracts, Last Winner does not have open source code! This is a very dangerous signal. Why is such a game so popular and attracting so many people to participate?

From our instinct, this Last Winner DApp game smells fishy.

Security Concern: Last Winner is indeed Fomo3D copycat!

Last Winner’s official slogan writes:

“Last Winner (LW) is the first fully decentralized Fomo3D game DApp, based entirely on the Ethereum Smart Contract native development. Just download and install the app to participate in the game.”

Fomo3D-like games, and the source code is not exposed, which has to be suspicious. Be aware that it is very difficult to develop a fun and safe DApp game in a short period of time.

SECBIT Labs quickly analyzed the contract bytecode of Last Winner. Sure enough, the game contract code function name is highly similar to Fomo3D. It is suspected that the source code of Fomo3D is directly copied (plagiarized), but more than 10 suspicious unknown functions have been added (Ooops, loaded goodies).

Although Fomo3D exposes the source code in Etherscan, it does not mean that it is open source for anyone to use.

SECBIT Labs previously reported that after the Fomo3D burst, various copycat versions of Fomo3D emerged endlessly. Previously, these copycat games often copied the Fomo3D official website and contract source code, and were suspected to be modified in some places. Lastly, Last Winner went one step further by launching a mobile client and madly promoting it without revealing the smart contract source code.

One highlight of smart contract DApps games is its openness and transparency. The Last Winner game is completely the opposite, with a suspicious motive.

Warning from SECBIT and AnChain.ai : the risk of participating in this type of game is extremely high!

At that time, the grim situation was: on one hand, there were multiple addresses suspected of madly launching attack transactions. On the other hand, the DApp game contracts were not open source, and the highly suspicious but attracted huge amounts of money. We feel the urgency, and quickly launched the Crime Scene Investigation!

The AnChain.ai and SECBIT teams analyzed and monitored abnormal transactions day and night, collect evidence, and locate the source of the attack and the scale of the attack.

The SECBIT lab team are divided into two ways, each carrying out a reverse analysis of game contracts byte code, and hacker attacks .

Recall: Fomo3D Copycat DApp Airdrop Vulnerabilities

The Fomo3D game participant purchases “key” to play. In addition to the large Grand prize for the last purchaser, the participants usually have the opportunity to win an “airdrop” award.

There is one main and one vice prize pool. The Grand prizes and airdrop awards are withdrawn from the main and vice prize pool respectively.

1% of the Ethereum entering the game will enter the vice prize pool. Every time you buy a key, you will have the chance to get an airdrop. The probability of airdrops starts at 0%, and for every additional ETH sales order, the airdrop probability increases by 0.1%. At the same time, the amount of the airdrop prize is also linked to the purchase amount. If you purchase 0.1 ~ 1 ETH, you will have a chance to win 25% of the prize pool. The more you buy, the bigger the chance you win.

As soon as you enter the game interface, you will see a clear reminder of the current winning probability and the prize pool amount. This design originally wanted to increase the fun of the game and to attract funds to enter the game and extend the game time. But actually it’s the opposite.

By analyzing the Last Winner game contract and the unusual trading behavior of these addresses in question, we have a preliminary answer in mind.

Let’s revisit transactions of 20 days ago. As early as July 24th, SECBIT Labs and PeckShield Technology simultaneously warned that the random contract of the Fomo3D game’s smart contract can be exploited, Fomo3D and This security vulnerability exists in all copycat contracts that copy the source code [2]. Airdrop games with large randomness in the original design can be manipulated, greatly increasing the probability of winning.

After SECBIT Labs reversed the bytecode,we found out the Last Winner game airdrop reward code is basically the same as Fomo3D, with 91% similarity, and the same vulnerability may exist. For FOMO3D hackers, this is great news!

Hackers’ Massive Secret Weapons for Profits

The whole team were astonished by results presented on AnChain.ai Situational Awareness Platform big screen.

The suspicious addresses in the above screenshot, like “viruses”, tightly wrapped around the target contract, wilfully swallowing up funds from it.

We observed that these addresses in the figure close to Last Winner have similar behavior patterns. Such as:

  • Start a transaction on a contract address with 0.1 Ethereum.
  • Many trading statuses are failures
  • Successful transactions invoke a lot of “internal transactions”.
  • “Internal transaction” call logic is quite complicated, and accompanied by the creation and self-destruction of a large number of contracts

The SECBIT lab and AnChain.ai team concluded that these unidentified contracts were the secret weapon that hackers used to attack Last Winner, and it was through these contracts that hackers continued to suck away the Ethereum in the Last Winner game.

Crime Scene Investigation: Large Numbers of Similar Transactions with High Yield

In the above AnChain.ai Situational Awareness map, the suspected address with the largest footprint caused our attention: 0xae58, and then traced from this address.

On August 9th, there were more than 300 Ethereum balances in the 0xae58 address, and at the time he was initiating a transaction on the address 0x5483. The transfer amount for each transaction was 0.1 Ether. Obviously, hackers are attacking LW through the 0x5483 smart contract.

Let us observe that the following status shows a successful transaction. On the surface, 0xae58 turned 0.1 Ether to attack contract 0x5483, but actually involved a lot of mutual transfer between addresses. Finally, with 0x7c77 contract self-destruction , 0.189 Ether was transferred back to 0xae58 account.

Amazing! The attacker invested 0.1 Ethereum and finally gained 0.189. The instantaneous rate of return is as high as 89% , which is extremely profitable.

We quickly discovered that in addition to the 0xae58 address, there were four addresses that continued to initiate similar transactions to the 0x5483 contract, continuing to receive high returns.

The failed transaction consumes only 27,712 fuel (Gas) and the cost is very low .

The research goal was immediately locked into the attack contract 0x5483. Because the source code was not available, SECBIT Lab immediately used internal tools to perform reverse analysis.

Profiteering: The Shocking Facts of Lucky Hackers!

On August 13th , when SECBIT Labs was immersed in the hacker’s attack contract optimization and ingenious design, AnChain.ai shared the latest Situational Awareness threat intel.

Among them, the most profitable attack is the team headed by 0x820d address. They have accumulated more than 5,000 Ethereum coins. The AnChain.ai team and the SECBIT lab pinpointed the hacker group, and named it BAPT-LW20 (Blockchain APT — Last Winner).

BAPT-LW20 is by far the MOST advanced, persistent, hacker group, on blockchain.

In just 6 days, the BAPT-LW20 team launched nearly 50,000 transactions and extracted 5,194 Ethers with a profit value of nearly $ 2 millions.

From the trending graph of hourly attack transactions (below), we can tell that the peak attack period occurred from August 8 to 10, with the average hourly withdrawing was nearly 100 Ethereum, which was nearly $33,000 at the prime time of Last Winner. As the game entering the later stage, the players’ funds drop sharply, the revenues decrease, and the hackers have to reduce the attack frequency.

Let’s take a look another chart, hourly stolen ETH (below). In the bleak long bear market, hackers are actually making millions of dollars in one week.

The picture below shows “ratio of trading volume vs ETH ”, or the “Lucky Chart”. It can be seen that the hacker sent only 10% of the total transaction volume, but took 49% of the bonus in the Last Winner prize pool. The hacker’s attacking skills bring them good luck that ordinary players can’t match, and it is almost impossible for ordinary players to get airdrop rewards in this game.

Chasing the Most Wanted: BAPT-LW20 At Large

We chased this Most Wanted : BAPT-LW20 hacker groups, and successfully recovered the BAPT hacking timeline.

The chart below shows the changes in the account balance of the BAPT-LW20 team.

The “Captain” of BAPT-LW20 is the deployer of all the attack contracts, and the one who launched the attack. The “Captain” was first active on July 20th, and its initial ETH funding came from the San Francisco based Kraken exchange.

After receiving 10 ETH from Kraken exchange, its first contract was deployed.There may be some places that are not ideal and he does not continue to use the contract. Three minutes later , it deployed a second contract with the target of Fomo3D. After a set of preparations, several failed calls, and two successful but unprofitable attempts, it may have found bugs in his attack smart contract and started to optimize it.

In the next 14 hours , the Captain deployed 8 contracts in turn for attack testing, but was unsuccessful. Finally, the attack was completed for the first time in the 9th contract, and the 0.125 ETH was exchanged for 0.1 ETH.

Boom! The diligent and smart Captain just found the key to the treasure!

Immediately it launched 11,551 contracts during July 21st to July 23rd.

On July 23 , Captain deployed a new contract to transfer the attacker to another Fomo3D copycat game RatScam (0x5167350d082c9ec48ed6fd4c694dea7361269705).

The BAPT-LW20 Team deployed 2299 attack contracts in one day.

One day later , Captain found a new target, a copycat game called FoMoGame (0x86D179c28cCeb120Cd3f64930Cf1820a88B77D60), deploying a new contract to attack. The game is not well-funded, so the hacker gave up after 126 calls.

Soon, BAPT-LW20 launched the new attack contract on July 26 . A total of 23,835 transactions occurred in the contract, the most recent active time was August 10 (7 days ago). This attack contract allows the attacker to customize the victim game contract address.

Brilliant! Reusable code! Remember in your CS101 class?

Therefore, in the next few days, Captain will continue to mess around DApp games such as Fomo3D original, RatScam, FoMoGame, etc., and continue to observe the dynamics of other copycat games, waiting for the opportunity. At the same time, several new contracts continue to be deployed for tuning testing.

Finally, on August 6th, the “Last Winner” game went live.

After 24 hours, it used the prepared contract to launch the first attack against Last Winner, and concentrated on the next 4 days, madly exploiting the airdrop vulnerability to launch the offensive.

On August 10th , Captain called the the attack contract withdraw function, and drained the balance inside. The attack was suspected to be suspended.

It turns out that they have already deployed a new version of the contract attack contract Version 3.0, and launched more than 30,000 transactions, which are still active attacks as of today.

Not Just Airdrops: BAPT-LW20 Snatched the Grand Prize!

On the morning of August 17th, Beijing time, the first round of the Last Winner game ended. The Grand Prize was won by the address 0x5167, and the total amount of the prize was 7,754 Ethereum.

This address is one of the five addresses of the BAPT-LW20 hacking team.

As shown below, 14 hours ago, hackers were still using the attack contract to get airdrop rewards. Subsequently, he changed the program, directly used his own address to buy props to participate in the game, and constantly tried to win the final prize. After that, continue to call the contract attack LW game .

The SECBIT lab has speculated that hackers have been lurking for a long time and have been well prepared to use the scripts to monitor the state of the LW game for a long time before they can win the grand prize when everyone relaxes their vigilance.

The BAPT-LW20 hacker group exploited the airdrop vulnerability to profit more than 5,194 Ether, while winning the final prize of 7,754 Ether, with a cumulative profit of 12,948 Ether, equivalent to $4 millions.

Theory: Who is BAPT-LW ?

This ultra-large-scale Fomo3D smart contract game was attacked, and the secret weapon used by the attacker was also a smart contract.

According to SECBIT lab analysis, the 0x20C9 address was the first to successfully exploit the original Fomo3D airdrop vulnerability and get rewards. We positioned him and named it BAPT-LW10.

0x20C9 created the attack contract 0xe7ce at 10:07 on July 8th . In the next ten minutes, it was called three times before and after, and finally won the reward on the fourth time, invested 0.1 Ethereum, recovered 0.19, and the return rate Up to 90% (see picture below).

Since then, 0x20C9 continues to deploy multiple attack contracts for debugging optimization. Eventually, the final version of the 0x39ac attack contract was deployed on July 23 , and more than 90 times were called before and after the next time, and the target involved Fomo3D original, Last Winner and other copycat versions of Fomo3D.

According to our observation, 0x20C9 is the first hacker to research and successfully exploit the airdrop vulnerability. During the course of the study, SECBIT Labs found that 0x20C9 was closely related to another DApp game (name undisclosed). SECBIT Labs has a theory that one of the core developers from that popular DApp game may be the suspect.

Hackers Carnival: Why is “Last Winner” So Attractive?

Shortly after the initial Fomo3D was launched, the airdrop vulnerability was discovered and successfully exploited. With the widespread spread of the game and the vulnerabilities being gradually revealed, the attack methods of airdrop vulnerabilities have also been upgraded and evolved in the process. Finally, some hacker teams have completed sophisticated attacks, which can be rewarded with low cost and high efficiency. Can attack any kind of similar game contract on a large scale and madly harvest the Ethereum.

According to our analysis, in addition to LW games, many hacker teams have tried to attack other Fomo3D game contracts. But the profit is much smaller than the BAPT-LW20 team got in the LW game.

We tried to find the answer from the LW game itself.

The LW game is a Fomo3D copycat version, and there is not much innovation in itself, but the admission funds are fully concentrated from the 2nd to the 5th day after the game starts. A huge amount of admission funds will make the game airdrop prize pool accumulate quickly, so this time is also a golden opportunity for hacker attacks.

Even worse, the Last Winner team modified the airdrop game parameters to adjust the proportion of Ethereum entering the vice prize pool (airdrop prize pool) from 1% to 10% , which is equivalent to 10 times higher than the airdrop bonus!

On one hand, the game operation team may use high-volume airdrop rewards to attract users to join in madness; on the other hand, they may not know the seriousness of the airdrop vulnerability, and increasing the reward ratio will further amplify the problem.

“Last Winner” DApp Became Hackers’ ATM !

In particular, the first round of admission to the Last Winner DApp game has reached 100,000 Ethereum, which means that more than 10,000 Ethereums in this game are continuously exposed to the risk of being attacked. Become a hacker’s bag. You know, the game’s first round of the final prize pool is only 16,000 Ethereum. Originally, airdrop rewards were small amounts, but hackers continued to use airdrop loopholes, accumulating more and more, and eventually became the biggest winner of Last Winner.

We tracked multiple teams conducting large-scale automated attacks on Fomo3D and copycat contracts in an attempt to gain benefits.

The BAPT-LW20 team joined the battle 24 hours after the start of the game and quickly expanded the scale of the battle, eventually taking the lead and gaining huge profits.

SECBIT Labs tracked other hacker teams attacking the Last Winner contract. Some hackers entered the game after August 11th, although the scale is also very large, but after all, they have less profit because they missed the best timing.

Who is next?

On August 14th , the BAPT-LW20 hacker team’s 0x820d deployed two new versions of the attack contract again, this time they aimed the guns at another undisputed contract that was newly deployed a day ago.

Looking at the flashing alerts on the AnChain.ai situational awareness platform screen, SECBIT Labs and AnChain.ai are well aware that the battle in the blockchain world may just start.

In 2009, Nakamoto created a virtual decentralized new world. It seemed to be a promised land with milk and honey, and people cheered and swarmed. But like all ecosystems, the new world also has predators: There are traders and there are hackers. The application on the blockchain is evolving, and the attackers are the same. We only reveal the tip of an iceberg of the new era of blockchain hacking.

“The Future Has Arrived — It’s Just Not Evenly Distributed Yet” — William Gibson

BAPT, the future of blockchain hacking, has arrived, just not evenly distributed.

Timeline of BAPT-LW20 & BAPT-F3D :

  • 2018/07/06 Fomo3D game contract online
  • 2018/07/08 One developer from FOMO3D’s competitor discovers and exploits airdrop vulnerabilities
  • 2018/07/20 Fomo3D game is popular in China
  • 2018/07/20 BAPT-LW20 Hacker team address is active
  • 2018/07/21 BAPT-LW20 Team Successfully Utilizes Fomo3D Airdrop Vulnerability for the First Time
  • 2018/07/23 BAPT-LW20 Team Attacks copycat Game Mouse RatScam
  • 2018/07/23 Péter broke the Fomo3D airdrop vulnerability in Reddit
  • 2018/07/24 SECBIT Labs Releases Fomo3D and copycat Edition Airdrop Vulnerability
  • 2018/07/24 BAPT-LW20 Hacking team attacking FoMoGame
  • 2018/07/26 BAPT-LW20 Hacker team deploys new version of attack contract 0x5483
  • 2018/08/06 Class Fomo3D game Last Winner online
  • 2018/08/07 LW game is getting hot
  • 2018/08/07 BAPT-LW20 Hacker team starts attacking LW games
  • 2018/08/09 Ethereum’s unconfirmed transaction volume hit a new high in the year
  • 2018/08/10 Early morning AnChain.ai SAP (Situational Awareness Platform) issued an early warning of suspicious transactions on game DApp contracts.
  • 2018/08/10 SECBIT Labs teamed up with AnChain.ai to conduct an investigation
  • 2018/08/10 BAPT-LW20 The hacker team transfers funds from the old contract and continues the attack with the new version of the contract
  • 2018/08/11 Completed the BAPT-LW20 attack timeline recovery
  • 2018/08/12 Completed the BAPT-LW20 attack method recovery
  • 2018/08/13 Analysis of more attack sources
  • 2018/08/13 Completed panoramic analysis of BAPT-F3D and BAPT-LW20 attack data, hackers profited over 5000 Ether
  • 2018/08/14 BAPT-LW20 The hacker team once again deployed a new version of the attack contract and started attacking an unknown contract
  • 2018/08/17 BAPT-LW20 Hacking team wins LW Final Award 7754 Ether
  • 2018/08/17 SECBIT Lab & AnChain.ai Completed Report of BAPT-LW20 Attacks

[Coming Next! ] How BAPT-LW20 Launched the 15,000 Attack contracts !?

References

[1] Blockbeats: 80,000 transactions “sealed” the Ethereum network, just to snatch the Fomo3D award? https://mp.weixin.qq.com/s/5nrgj8sIZ0SlXebG5sWVPw 
[2] Pwning Fomo3D Revealed: Iterative, Pre-Calculated Contract Creation For Airdrop Prizes!, https://peckshield.com/2018/07/24/fomo3d/ 
[3] Péter Szilágyi’s airdrop exploit exploits POC, https://www.reddit.com/r/ethereum/comments/916xni/how_to_pwn_fomo3d_a_beginners_guide/, 2018/07/23 
[4] AsicBoost — A Speedup for Bitcoin Mining, https ://arxiv.org/pdf/1604.00575.pdf, 2016/03/31

Acknowledgement

AnChain.ai would like to acknowledge Graphistry for supporting the graph visualization.


About the Authors:

AnChain.ai Inc. ( info@AnChain.ai ) :

AnChain.ai Inc is an AI Powered Blockchain Security Silicon Valley startup, founded by industry veterans from FireEye, Mandiant, McAfee, Yahoo, Pivotal, EMC, Amazon. AnChain.ai offers two key products for DApps, Exchanges, Wallets customers:

  • SAP: Situational Awareness Platform, proactively protects blockchain and smart contract transactions, powered by our proprietary patented AI , Knowledge Graph, threat intel. SAP supports : SaaS offering such as API , Web UI, and Blockchain APT (BAPT) monthly reports subscription.
  • CAP: Contract Auditing Platform, a containerized cloud scale platform automatic, semi-automatic, and expert auditing platform. We provide top crypto exchange compliant auditing reports for Solidity / ERC smart contract auditing.

Join AnChain.ai Blockchain Security Partnership Program, or Pilot Customer Program today!

SECBIT Lab ( info@secbit.io ):

SECBIT Labs focuses on blockchain and smart contract security issues, comprehensively monitors smart contract security vulnerabilities, provides professional contract security audit services, conducts comprehensive and in-depth research on smart contract security technologies, and is committed to participating in consensus building a credible, orderly blockchain economy.

AnChain.ai & SECBIT Joint Research Lab was founded in Aug 2018, in Silicon Valley.

This Chinese version : http://chaindd.com/3107866.html

This article is copyrighted by AnChain.ai and SECBIT Lab. The citation of the article should include the source, author name, and hyper link to the article.