According to reports, a bug in the smart contract code of the Ethereum Alarm Clock service was exploited. Nearly $260,000 has been taken from the protocol so far.
The Ethereum Alarm Clock allows users to plan future transactions by pre-determining the recipient address, sent amount, and desired transaction time. To complete the transaction, users must have the necessary Ether ( ETH) and pay the gas fees upfront.
PeckShield’s Oct. 19 tweet stated that hackers exploited a loophole in scheduled transactions to make a profit. This allows them to charge returned gas fees for cancelled transactions.
The attackers simply called cancel functions on the Ethereum Alarm Clock contracts they were using with high transaction fees. The protocol refunds gas fees for cancelled transactions. However, hackers were able to take the extra gas fees back because of a bug in their smart contract.
“We’ve confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of the original owner. The exploit actually pays 51% of the profit back to the miner, thus the huge MEV-Boost reward,” wrote the firm.
We’ve confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of original owner. The exploit actually pays 51% of the profit back to the miner, thus the huge MEV-Boost reward. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp
— PeckShield Inc.
October 19, 2022
PeckShield said that it had detected 24 addresses using the bug to collect “rewards.”
Supremacy Inc, a Web3 security firm, also posted an update a few minutes later, pointing out Etherscan transaction histories that showed the hacker(s), so far, were able to steal 204 ETH worth approximately $259,800 as of the writing.
“Interesting attack event, TransactionRequestCore contract is four years old, it belongs to ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,” the firm noted.
2/ The cancel function calculates and transfers the Transaction Fee (gas price * gas uesd) to be used with the “gas consumed” above 85000. pic.twitter.com/aXyad0oDPv
— Supremacy Inc. (@Supremacy_CA)
October 19, 2022
There have been no updates to the topic as of now. This makes it difficult to know if hacking is continuing, has been fixed, or whether the attack is over. Cointelegraph will keep you updated as the story develops.
October is generally associated with bullish activity, but this month has been fraught with hacks. Chainalysis reports that there was $718 Million stolen from hacks October 13, making it the largest month for hacking activity 2022.