A bug in the smart contract code for the Ethereum Alarm service has reportedly been exploited and nearly $260,000 has been stolen from the protocol so far.
Ethereum Notifier allows users to schedule future transactions by pre-selecting the recipient’s address, the amount sent, and the desired transaction time. Users must have the necessary ether (
) is in stock to complete the transaction and you have to pay the gas fee up front.
According to a post by security and data analytics firm PeckShield on October 19, hackers were able to exploit a loophole in the scheduled transaction process, allowing them to take advantage of gas fees refunded from canceled transactions.
Simply put, the attackers launched cancellation functionality into their Ethereum Alarm Clock contracts with inflated transaction fees. Since the protocol returns gas fees for canceled transactions, a smart contract error returns hackers more gas fees than they originally paid, allowing them to charge the difference.
“We have confirmed an active exploit that uses a huge gas price to play with the TransactionRequestCore contract in exchange for a bonus on the original owner’s account. In fact, the exploit pays the miner 51% of the profits, hence the huge MEV-Boost bonus.”
We have confirmed an active exploit that uses a huge gas price to run a TransactionRequestCore contract for a reward on the original owner’s account. In fact, the exploit pays the miner 51% of the profits, hence this huge MEV-Boost bonus. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp
– Peck Shield Inc. (@peckshield) Oct 19, 2022
At the time, PeckShield added that it had found 24 addresses using the bug to claim the supposed “rewards”.
Security firm Web3 Supremacy Inc also provided an update a few hours later, citing Etherscan transaction history, which showed hackers were able to steal 204 ETH, which is worth about $259,800 at the time of writing.
The company noted that “an interesting attack occurred, the TransactionRequestCore contract is four years old, it belongs to the ethereum-alarm project, this project is seven years old, and the hackers really found an old attack code.”