Ethereum Alarm Clock exploit leads 260K in gas stolen fees to date

According to reports, a bug in the smart contract code of the Ethereum Alarm Clock service was exploited. Nearly $260,000 has been taken from the protocol so far.

The Ethereum Alarm Clock allows users to plan future transactions by pre-determining the recipient address, sent amount, and desired transaction time. To complete the transaction, users must have the necessary Ether ( ETH) and pay the gas fees upfront.

PeckShield’s Oct. 19 tweet stated that hackers exploited a loophole in scheduled transactions to make a profit. This allows them to charge returned gas fees for cancelled transactions.

The attackers simply called cancel functions on the Ethereum Alarm Clock contracts they were using with high transaction fees. The protocol refunds gas fees for cancelled transactions. However, hackers were able to take the extra gas fees back because of a bug in their smart contract.

“We’ve confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of the original owner. The exploit actually pays 51% of the profit back to the miner, thus the huge MEV-Boost reward,” wrote the firm.

PeckShield said that it had detected 24 addresses using the bug to collect “rewards.”

Supremacy Inc, a Web3 security firm, also posted an update a few minutes later, pointing out Etherscan transaction histories that showed the hacker(s), so far, were able to steal 204 ETH worth approximately $259,800 as of the writing.

“Interesting attack event, TransactionRequestCore contract is four years old, it belongs to ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,” the firm noted.

There have been no updates to the topic as of now. This makes it difficult to know if hacking is continuing, has been fixed, or whether the attack is over. Cointelegraph will keep you updated as the story develops.

October is generally associated with bullish activity, but this month has been fraught with hacks. Chainalysis reports that there was $718 Million stolen from hacks October 13, making it the largest month for hacking activity 2022.

Opinion writer on 7trade7