Ethereum Alarm Clock exploit leads to $260K in stolen gas fees so far

October 20, 2022 Coin Telegraph

Ethereum Alarm Clock exploit leads to 0K in stolen gas fees so far

Web3 security firm Supremacy highlighted Etherscan transaction history that showed the hacker(s) were able to swipe 204 ETH in gas fees so far, worth roughly $259,800.

A bug in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with nearly $260,000 said to have been swiped from the protocol so far.

The Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the receiver address, sent amount, and desired time of transaction. Users must have the required Ether (ETH) on hand to complete the transaction and need to pay the gas fees upfront.

According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process which allows them to make a profit on returned gas fees from canceled transactions.

In simple terms, the attackers essentially called cancel functions on their Ethereum Alarm Clock contracts with inflated transaction fees. As the protocol dishes out a gas fee refund for canceled transactions, a bug in the smart contract has been refunding the hackers a greater value of gas fees than they initially paid, allowing them to pocket the difference.

“We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of the original owner. In fact, the exploit pays 51% of the profit to the miner, hence this huge MEV-Boost reward,” the firm wrote.

We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of original owner. In fact, the exploit pays the 51% of the profit to the miner, hence this huge MEV-Boost reward. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp
— PeckShield Inc. (@peckshield) October 19, 2022

PeckShield added at the time, it had spotted 24 addresses which had been exploiting the bug to collect the supposed “rewards.”

Web3 security frim Supremacy Inc also provided an update a few hours later, pointing to Etherscan transaction history that showed the hacker(s) were so far able to swipe 204 ETH, worth roughly $259,800 at the time of writing.

“Interesting attack event, TransactionRequestCore contract is four years old, it belongs to ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,” the firm noted.

2/ The cancel function calculates the Transaction Fee (gas uesd * gas price) to be spent with the "gas used" over 85000 and transfers it to the caller. pic.twitter.com/aXyad0oDPv
— Supremacy Inc. (@Supremacy_CA) October 19, 2022

As it stands, there has been a lack of updates on the topic to determine if the hack is ongoing, if the bug has been patched, or if the attack has concluded. This is a developing story and Cointelegraph will provide updates as it unfolds.

Despite October generally being a month associated with bullish action, this month so far has been rife with hacks. According to a Chainalysis report from Oct. 13, there had already been $718 million stolen from hacks in October, making it the biggest month for hacking activity in 2022.

Cyber sleuth alleges $160M Wintermute hack was an inside job

September 27, 2022 Coin Telegraph

Cyber sleuth alleges 0M Wintermute hack was an inside job

Coin Telegraph

James Edwards bases his accusations on what he feels are dubious transactions and smart contract code that doesn’t match the post-mortem analysis.

A fresh new crypto conspiracy theory is afoot — this time in relation to last week's $160 million hack on algorithmic market maker Wintermute — which one crypto sleuth alleges was an "inside job."

Cointelegraph reported on Sept. 20 that a hacker had exploited a bug in a Wintermute smart contract which enabled them to swipe over 70 different tokens including $61.4 million in USD Coin (USDC), $29.5 million in Tether (USDT) and 671 Wrapped Bitcoin (wBTC), worth roughly $13 million at the time.

In an analysis of the hack posted via Medium on Sept. 26, the author known as Librehash argued that due to the way in which Wintermute’s smart contracts were interacted with and ultimately exploited, it suggests that the hack was conducted by an internal party, claiming:

“The relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an internal member of the Wintermute team.”

The author of the analysis piece, known also as James Edwards, is not a known cybersecurity researcher or analyst. The analysis marks his first post on Medium but so far hasn't garnered any response from Wintermute or other cybersecurity analysts.

In the post, Edwards suggests that the current theory is that the EOA “that made the call on the 'compromised' Wintermute smart contract was itself compromised via the team’s use of a faulty online vanity address generator tool.”

“The idea is that by recovering the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which supposedly had admin access,” he said.

Edwards went on to assert that there’s no “uploaded, verified code for the Wintermute smart contract in question,” making it difficult for the public to confirm the current external hacker theory, while also raising transparency concerns.

“This, in itself, is an issue in terms of transparency on behalf of the project. One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code,” he wrote.

Edwards then went into a deeper analysis via manually decompiling the smart contract code himself, and alleged that the code doesn’t match with what has been attributed to causing the hack.

Another point that he raises questions about was a specific transfer that happened during the hack, which “shows the transfer of 13.48M USDT from the Wintermute smart contract address to the 0x0248 smart contract (supposedly created and controlled by the Wintermute hacker).”

Edwards highlighted Etherscan transaction history allegedly showing that Wintermute had transferred more than $13 million worth of Tether USD (USDT) from two different exchanges, to address a compromised smart contract.

“Why would the team send $13 million dollars worth of funds to a smart contract they *knew* was compromised? From TWO different exchanges?,” he questioned via Twitter.

His theory has, however, yet to be corroborated by other blockchain security experts, although following the hack last week, there were some murmurs in the community that an inside job could've been a possibility.

The fact that @wintermute_t used the profanity wallet generator and kept millions in that hot wallet is negligence or an inside job. To make things worse the vulnerability in profanity tool was disclosed a couple of days ago.
— Rotex Hawk (@Rotexhawk) September 21, 2022

Providing an update on the hack via Twitter on Sept. 21, Wintermute noted that while it was “very unfortunate and painful,” the rest of its business has not been impacted and that it will continue to service its partners.

“The hack was isolated to our DeFi smart contract and did not affect any of Wintermute's internal systems. No third party or Wintermute data was compromised.”

The hack was isolated to our DeFi smart contract and did not affect any Wintermute’s internal systems. No third party or Wintermute data was compromised.
— Wintermute (@wintermute_t) September 21, 2022

Cointelegraph has reached out to Wintermute for comment on the matter but has not received an immediate response at the time of publication.

Compound cETH market bricked by update — 7-day wait on vote to fix it

August 31, 2022 Coin Telegraph

Coin Telegraph

The code bug has plagued the cETH market and has affected Compound’s front-end user face, but the CEO confirmed that “funds are not immediately at risk.”

Decentralized lending platform Compound has been plagued by a code bug in a recent governance proposal to update its price feeds.

The code error has “temporarily frozen” the Compound ETH (cETH) market, causing cETH transactions to revert, but Compound Labs stated that despite the front end not working, “funds are not immediately at risk.”

Compound Labs announced on Aug. 31 that the code bug came from Proposal 117: Compound Oracle Upgrade v3, which was implemented a couple of hours ago to update the oracle contracts on the Compound protocol to a new version that uses Uniswap V3 instead of V2 for price feeds.

An hour ago, Proposal 117 was executed, which updated the price feed that Compound v2 uses.

This price feed, while audited by three auditors, contained an error that is causing transactions for ETH suppliers and borrowers to revert.https://t.co/a2DFk7h0ET
— Compound Labs (@compoundfinance) August 30, 2022

In response to the cETH market temporarily freezing, Compound Labs said it aimed to revert to the previous price feed via Proposal 119: Oracle Update. The new proposal was created less than one hour after Proposal 117 had been executed, however it now needs to go through seven-day governance process before taking effect.

According to an update from Security Solutions Architect Michael Lewellen of OpenZeppelin, the code bug came from the “getUnderlyingPrice” function, which did not update the price of cETH tokens, which would return empty bytes and cause the call to be reverted.

Read the following post for details on a Compound incident we are working to resolve for the cETH market. A fix is already underway and no funds are at risk at this time. The rest of the cToken markets on Compound V2 and all of V3 remain functional.https://t.co/CiSE3a99Wa
— OpenZeppelin (@OpenZeppelin) August 30, 2022

Lewellen also reaffirmed that no funds are at risk:

“The primary issue right now is a temporary denial of service for the cETH market which will be resolved by the new governance proposal. No funds are at risk at this time. The rest of the cToken markets on Compound V2 and all of V3 remain functional.”

However, Lewellen added that “any users that deposited ETH and obtained cETH for opening borrow positions must be aware that they might get instantly liquidated whenever the fix proposal executes if by that time the price of ETH has dropped significantly.”

But the CEO of Compound Labs Robert Leshner also added that users can still repay any debt and add collateral to avoid liquidation.

Compound Labs noted the code bug came despite the oracle contract being audited from three separate smart contract auditing companies, with OpenZeppelin and ChainSecurity among the recent firms to have audited Compound’s smart contracts.

Proposal 117 itself didn’t appear to be a controversial one, with all 696,665 votes from 245 different wallet addresses in favor of the price feed upgrade. Crypto investment firm Polychain Capital cast the most votes (306,146) in favor of the proposal.

According to DeFi Llama, Compound is the third largest decentralized lending platform, with $2.67 billion total value locked (TVL). The news has not affected the Compound token, COMP, so far which is currently priced at $48.27.

Smart Contract Bug