A real story: hopeless crypto-kitty rescue
The private key was compromised; any ether drained right away. Yet five kitties left helpless.
This afternoon, my professor messaged me saying that his unattended Github repo accidentally revealed the private key to the public. A malicious scanner captured the key, and now draining all the funds.
It happened
Any ether goes in the wallet is drained right at the moment…
Money is no issue, but the kitties matter
Though there are no more ethers in the wallet that we can save, five crypto kitties are stuck. Without any available gas, it seemed impossible that we can rescue the kitties from the tragedy.
Two Alternatives
We soon came up with two alternatives:
- “Create a bot to compete with the hacker’s bot, and see who is blessed.” — Lee Ting Ting
- “Find a leeway to bypass the threshold of the ether detection of the hacker’s bot.” — Jeff Hu (me)
Considerations
Method (1) sounds interesting, yet it takes time and chance to win over the competitions. Method (2) seemed intuitive but may work.
Measurements
As the gas usages of the hacker’s actions are constantly being 0.00168 ether (Figure 1), we boldly expect that a transferral with the amount less than 0.00168 ether is invisible to the hacker. By checking the latest successful crypto kitties transferral of this account, the gas usage is around 0.00035 ether.
We assumed that it presented plausible that the rescue action of kitties can succeed!
Reconnoiter
0.00033 ether was transferred to the account, since that we guessed that the current gas price now is lower than four months ago. And omg NO ETHER IS DRAINED! The first rescuing team of funds has arrived at the gate. :)
Engage
By this method, we successfully bypassed the hacker’s bot and eventually rescued the four most valuable kitties. Wait? What about the last one. For the last poor kitten, we decided to leave it there, being curious about how the hacker will act toward the rescue.
These are the rarest ones among the rescued:
The hacker flew into a rage
To our surprise, the hacker noticed the problem so soon and tried to drain the wallet to the last drip. But sadly, it did not worth the loss. Sequentially, he transferred 0.003 ether into the wallet and took out the money deducted by the 0.00168 ether fee. Later on, he transferred 0.002 more ether into and stole the last poor kitten, with the 0.00098 changes.
Finally, the kitten cost the hacker nearly 0.0025 ether in total, which was still beneficial because of that the least price of crypto kitties on the market is 0.003 ether. Good deal though.
Conclusion
Despite sharing the sadness of loss and the excitement of a successful rescue, there is not much to conclude. One last reminder is that NEVER put any of your keys on Github or public repos. Otherwise, you will be needing this tutorial very soon. :D
Contributors aside from the author
You can track all the histories right here at this address: 0x2CD068430a1b8d515753f2DD07d02f93a2E99A80, cuz it’s blockchain.
Also check out the Mandarin version written by Professor 寶博士(dAb)葛如鈞!