EOSBet Statement on Hack and 1st Dividend Distribution

Summary

On October 15th, a vulnerability in our Dice smart contract was exploited by an unknown hacker who managed to steal 142,845 EOS from our hot wallet.

The remaining 532,263 EOS in our cold storage account and 196,441 in our dividends account are both secure.

The stolen funds were moved to Bitfinex and Poloniex, where they were quickly frozen. We are working with these exchanges to recover these funds.

Dice has been patched and is back online. Our immediate priorities are to continue with our scheduled dividend payout to all BET token holders and recover our stolen funds from exchanges.

This hack was the result of irregular and unexpected behavior in the EOS code, in addition to a lack of checks in our smart contract, for which we take responsibility. We’ve spoken with several other dApps to warn them of this vulnerability and ensure they’re protected against it. Thank you to the BPs who assisted us, especially Syed from EOS Cafe Block, Kedar from Liberty Block, and shEOS.

Damage from the hack was lessened by our previous security upgrades, which included moving the majority of funds into cold storage. We will continue to harden our security practices by implementing an automated bankroll management system and undergoing additional testing.

All of our new contracts have undergone or will go through rigorous testing by top-tier auditing firms, such as Hacken. This may push back the release date for Games 2 and 3 from October to November, but we believe this is a necessary trade-off.

Dice Promotion

Dice has been patched and is back online now. We will award the winners from yesterday’s competition from their respective positions before we took the game offline.

We will continue the promotion until the 19th. As a thank you for having the games offline for 12 hours, we will be lowering the BET bonus airdrop as follows:

First Dividend Distribution!

As planned, we will also be distributing our first dividend payment today. Over 200,000 EOS ($1,000,000+ USD) will be sent to BET token holders today at 00:001 UTC . Be sure to check your accounts!

Hack Technical Explanation

The eosio.token core code is set to “notify” both the sender and the receiver of EOS tokens that there are incoming tokens.

https://github.com/EOSIO/eos/blob/master/contracts/eosio.token/eosio.token.cpp#L74

Our Dice contract first checks that we are the sender of the EOS tokens. If we are, then the contract does nothing (because we are paying someone for a winning bet). This is expected behavior.

Otherwise, our contract assumed that the tokens were being sent into our contract. This is the critical issue, because due to an unforeseen interaction, an exploiting contract can “notify” our contract that a token transfer is happening between two completely separate parties. This call is sent by their smart contract, but has the effect that it is coming from eosio.token (and not their account). Since we did not explicitly check that our contract was the receiver of the tokens (but assumed this had to be the case), we were exploited by this issue.

To protect yourself against this issue, you should add this line to your function that reacts on a token transfer:

eosio_assert(transfer_data.from == _self || transfer_data.to == _self, “Must be incoming or outgoing transfer”);

If you only want to accept tokens (and do not ever send tokens from your contract), then this will suffice:

eosio_assert(transfer_data.to == _self, “Must be incoming transfer);

We are not going to show example code on how to repeat this issue, due to the possibility that other contracts are still vulnerable on mainnet. However, EOS smart contract developers must note that a malicious contract can forward the “code” parameter to your contracts apply function. Therefore, very explicit checks are needed on the action arguments sent via a require_recipient() handler.

Conclusion

We are continuing to move forward with dividends, game development, and some new, exciting features that we can’t wait to share with you all. As the first and biggest dApp on EOS, we’ll always have a target on our backs. We realize this, and are striving to make our security practices as strong as they can be on this relatively untested blockchain. Thanks for sticking with us these past two months. We look forward to many more.

Sincerely,

The EOSBet Team