Ethereum Alarm Clock exploit leads to $260K in stolen gas fees so far
A flaw in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with nearly $260,000 said to have been swiped from the protocol so far.
Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the recipient address, amount sent and the desired time of the transaction. Users must have the necessary Ether (ETH) available to complete the transaction and must pay the gas fees in advance.
According to an Oct. 19 Twitter post by blockchain security and data analytics firm PeckShield, hackers were able to exploit a loophole in the scheduled transaction process that allows them to monetize returned gas fees from canceled transactions.
Simply put, the attackers essentially called cancellation functions on their Ethereum Alarm Clock contracts with high transaction fees. As the protocol issues a refund of gas fees for canceled transactions, a flaw in the smart contract has refunded the hackers a larger value of gas fees than they originally paid, allowing them to pocket the difference.
“We have confirmed an active exploit that uses a huge gas price to game the TransactionRequestCore contract for rewards at the expense of the original owner. In fact, the exploit pays 51% of the profit to the miner, hence this huge MEV-Boost reward,” the firm wrote.
We have confirmed an active exploit that uses a huge gas price to game the TransactionRequestCore contract for rewards at the expense of the original owner. In fact, the exploit pays 51% of the profit to the miner, hence this huge MEV-Boost reward. pic.twitter.com/iZahvC83Fp
— PeckShield Inc. (@peckshield) 19 October 2022
PeckShield added at the time, it had discovered 24 addresses that had exploited the flaw to collect the supposed “rewards.”
Web3 security company Supremacy Inc also provided an update a few hours later, pointing to the Etherscan transaction history showing that the hackers were so far able to swipe 204 ETH, worth approximately $259,800 at the time of writing.
“Interesting attack event, the TransactionRequestCore contract is four years old, it belongs to the ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,” the firm noted.
2/ The cancellation function calculates the transaction fee (gas uesd * gas price) to be used with “used gas” over 85000 and transfers it to the caller. pic.twitter.com/aXyad0oDPv
— Supremacy Inc. (@Supremacy_CA) 19 October 2022
As it stands, there has been a lack of updates on the subject to determine if the hack is ongoing, if the bug has been fixed, or if the attack has ended. This is a developing story and Cointelegraph will provide updates as it unfolds.
Despite October generally being a month associated with bullish action, this month has been full of hacks so far. According to an Oct. 13 Chainalysis report, $718 million had already been stolen from hacks in October, making it the biggest month for hacking activity in 2022.