Exposing An $18 Million USD Smart Contract Vulnerability
Advanced Persistent Threat (APT) — A stealthy and continuous computer hacking process, often orchestrated by persons targeting a specific entity with a specific end goal in mind.
In this report, we at AnChain.AI coined the term Blockchain Advanced Persistent Threat (BAPT) to label an APT attack taking place within blockchain infrastructure.
The first BAPT hacker group in history (BAPT-LW20) coordinated an attack to steal 12,948 Ethereum (at one point worth over $18 million) by using 5 ETH addresses to target a smart contract vulnerability within the DApp game, Last Winner.
They remain active as of this writing.
Last Winner became an extremely popular game in a short period of time. So popular, in fact, that the transaction volume it generated caused the entire Ethereum network to slow due to network congestion. As a result, gas prices skyrocketed and increasingly large amounts of ETH funds were attracted into the game.
Last Winner: Quietly Launched, Inexplicably Popular
Last Winner is a DApp game based on Ethereum which was launched on August 6th, 2018.
The game’s smart contract address is: 0xDd9fd6b6F8f7ea932997992bbE67EabB3e316f3C
The game’s smart contract has generated over 270,000 transactions in just six days. On August 8th and 9th, under the combined effect of the large-scale trading volume generated by Last Winner and Fomo3D, the number of unconfirmed transactions on Ethereum hit a new yearly high and the cost of gas was 10 times higher than average.
The first round of the game had a prize pool of more than 16,000 Ethereum while the total investment of user funds chasing this prize pool was more than 100,000 Ethereum. One could reasonably frame this game as a lottery.
While the first round of the game ended with minimal investment, the second round of prize pools quickly amassed over 7,000 Ethereum.
Unknown Sources of ETH Funding
According to Blockbeats, Last Winner is promoted and operated by Ant Colony Communication, a run-of-the-mill Ponzi scheme organization. Ant Colony has a large number of active members and influential promotional abilities [1]. Something that causes any industry veteran to immediately pause.
Our first red flag.
The Last Winner game contract has a large number of abnormal transactions. With the persistent creation and self-destruction of a large number of contracts, it deviates greatly from the characteristics of normal human calling behavior, providing us with all the evidence we need to put our security hats on and take a closer look under the hood.
Looking At Promotion And Contract Code
Promotional articles for Last Winner games can be found in major online forums, media, and WeChat groups. These articles all have similar descriptions and are accompanied by promotional invitation codes. However, there is very little information in English about Last Winner.
Clearly, those behind this game are targeting the Chinese market. The game also has a mobile app for Android and iPhone, greatly expanding its user base by reducing barriers to participation.
Last Winner’s official slogan writes:
“Last Winner (LW) is the first fully decentralized Fomo3D game DApp, based entirely on the Ethereum Smart Contract native development. Just download and install the app to participate in the game.”
Although Fomo3D exposes its source code in Etherscan, it does not mean that it is open source for anyone to use. The fact that Last Winner does not open source its smart contract code for its user base and community to review is our second red flag.
After reverse engineering and analyzing the contract bytecode of Last Winner, we found that there is a 91% similarity between Last Winner and Fomo3D. In short, those behind Last Winner blatantly plagiarized Fomo3D.
The 9% delta comes in the form of another 10 very suspicious unknown functions added haphazardly into the code. Taken in context, these unknown functions are where the illicit activity likely takes place.
Our third red flag.
Once we detected an abnormally large amount of volume and capital funneling towards this DApp game, we analyzed multiple addresses suspected of launching vast numbers of attack transactions.
DApp Game Airdrop Vulnerabilities
The Fomo3D game participants purchase “keys” to play. In addition to the large grand prize for the last purchaser, the participants usually have the opportunity to win an airdrop award.
The holdings for these various awards are structured so that there is one main prize pool and one vice prize pool. The grand prize is withdrawn from the main prize pool, while airdrop awards are withdrawn from the vice prize pool.
1% of the Ethereum entering the game will enter the vice prize pool. Every time you buy a key, you will have the chance to get an airdrop. The probability of receiving an airdrop award starts at 0%, and for every additional ETH spent the airdrop probability increases by 0.1%.
At the same time, the size of the airdrop prize is also linked to the purchase amount. If you purchase 0.1–1 ETH, you will have a chance to win 25% of the prize pool. As expected, the more you buy, the better the chance of winning. Just as in a lottery system.
As soon as you enter the game interface, you will see a clear reminder of the current winning probability and the prize pool amount. Another clear indicator of the intent behind this game, although not necessarily a red flag.
Using our Blockchain Ecosystem Intelligence (BEI) in conjunction with our Transaction Analytics Platform (TAP), we generated the map above to focus our investigation on the addresses of most significance within this Dapp game ecosystem.
The suspicious addresses we detected are all concentrated directly around the game’s target smart contract. No shocker there.
These addresses all have similar behavioral patterns, such as:
- Starting a transaction on a contract address with 0.1 Ethereum
- Many trading statuses are failures
- Successful transactions invoking many internal transactions
- Complicated internal transaction call logic, accompanied by the creation and self-destruction of a large number of contracts
AnChain.AI Anomaly Detection
The suspected address with the largest footprint piqued our interest: 0xae58
On August 9th, there were more than 300 Ethereum balances in the 0xae58 address, and at the time this address was initiating transactions with the 0x5483 address.
The transfer amount for each transaction was 0.1 Ether (see below). The hackers are clearly attacking Last Winner through its 0x5483 smart contract address.
Let us observe that the status below shows a successful transaction. On the surface, 0xae58 transferred 0.1 Ether to contract 0x5483.
But what actually happened involved a lot of mutual transfers between addresses, and the self-destruction of the 0x7c77 contract resulting in 0.189 Ether being transferred back to the initiating 0xae58 address.
The attacker invested 0.1 Ethereum and gained 0.189 in return. An instantaneous return on investment of 89%. Not too shabby.
We quickly discovered that in addition to the 0xae58 address, there were four other addresses that continued to initiate similar transactions to the 0x5483 contract, and they were all continuously receiving high returns.
What about the self-destructing transaction? The failed transaction consumes only 27,712 gas, and the gas cost is very low relative to the available profits, so it provides a minimal barrier to entry.
Analyzing Attack Profitability
The most profitable attack is the team headed by the 0x820d address. They have accumulated more than 5,000 Ethereum (ETH). We have coined this team BAPT-LW20 (Blockchain APT — Last Winner).
BAPT-LW20 is by far the MOST advanced, persistent, hacker group on blockchain, to date.
In just 6 days, the BAPT-LW20 team launched nearly 50,000 transactions and extracted 5,194 Ethers with a profit value of over $2 million USD at the time of attack.
From the graph of hourly attack transactions (below), we can tell that the peak attack period occurred from August 8 to August 10, with an average hourly withdrawal of nearly 100 Ethereum, $33,000 USD, at the time of the attack.
As the game enters its later stages, the players’ funds drop sharply, the revenues decrease, and the hackers have to reduce the attack frequency.
Looking at hourly stolen ETH (below), it is interesting to note that even in the context of our current bear market, hackers are still capable of harvesting several millions of dollars in one week with minimal effort.
The picture below shows the ratio of trading volume vs ETH. The hacker sent only 10% of the total transaction volume, but took 49% of the bonus in the Last Winner prize pool.
The hacker’s attacking skills rig the game in such a way that ordinary players do not stand any fair chance of receiving airdrop rewards, whereas the attackers can virtually “print” money.
The Story Behind BAPT-LW20
We chased this BAPT-LW20 hacker group and successfully recovered the BAPT hacking timeline.
The chart below shows the changes in the account balance of the BAPT-LW20 team.
The captain of BAPT-LW20 is the deployer of all the attack contracts. Think of the captain as the initiator of the attack. The captain was first active on July 20th, and its initial ETH funding came from the San Francisco-based Kraken exchange.
After receiving 10 ETH from Kraken, its first contract was deployed. Three minutes later , it deployed a second contract with the target of Fomo3D.
After a set of preparations, several failed calls, and two successful (albeit unprofitable attempts) the captain discovered bugs in his attack smart contract and began iterating and optimizing.
In the next 14 hours, the captain deployed 8 contracts for attack testing, but was unsuccessful. Then on the 9th contract deployment, the captain struck gold receiving 0.125 ETH in return for only risking 0.1 ETH. The attack was on.
Immediately, the captain launched 11,551 contracts from July 21st to July 23rd.
On July 23 , captain deployed a new contract to another Fomo3D copycat game, RatScam (0x5167350d082c9ec48ed6fd4c694dea7361269705).
The BAPT-LW20 Team deployed 2,299 attack contracts in one day.
One day later, the captain found a new target in another copycat game called FoMoGame (0x86D179c28cCeb120Cd3f64930Cf1820a88B77D60). However, with minimal funding the game did not prove a valuable attack target, and the attacker moved on after only 126 attempts.
Subsequently, the captain continues to probe at other DApp games and honing in on his attacking strategy, deploying and fine tuning each iteration of smart contracts.
Finally, on August 6th, the Last Winner game goes live.
The captain used the prepared contract to launch the first attack against Last Winner, and over the following 4 days repeatedly exploited the airdrop vulnerability to launch the offensive.
On August 10th , Captain called the the attack contract withdraw function, and drained the balance inside. The attack was suspected to be suspended.
Instead, it turned out that they had already deployed a new version of the contract attack contract (Version 3.0), and launched more than 30,000 transactions, which are still active attacks as of today.
BAPT-LW20 Steals The Game’s Grand Prize
On the morning of August 17th, the first round of the Last Winner game ended. The Grand Prize was won by the address 0x5167, and the total amount of the prize was 7,754 Ethereum.
This address is one of the five addresses belonging to BAPT-LW20.
As of this writing, hackers are still using the attack contract to siphon airdrop rewards.
The BAPT-LW20 hacker group exploited the airdrop vulnerability to the tune of over 5,194 Ether. They also won the final grand prize of 7,754 Ether.
A total profit of 12,948 Ether.
Who Is Behind BAPT-LW?
The 0x20C9 address was the first to successfully exploit the original Fomo3D airdrop vulnerability and receive rewards.
0x20C9 created the attack contract 0xe7ce at 10:07 on July 8th. In the next ten minutes, it was called three times, and finally won the reward on the fourth time, investing 0.1 Ethereum and recovering 0.19 (see below).
0x20C9 continued to deploy multiple attack contracts for debugging optimization. Eventually, the final version of the 0x39ac attack contract was deployed on July 23 targeting Fomo3D original, Last Winner.
Our observations lead us to believe 0x20C9 is the first hacker to research and successfully exploit the airdrop vulnerability. During the course of the study, we found that 0x20C9 was closely related to another popular DApp game (name undisclosed).
This provides us with substantial evidence to suggest that one of the core developers behind that popular DApp game is the captain of the Last Winner attack.
Why Is Last Winner So Attractive?
Shortly after the initial Fomo3D was launched, the airdrop vulnerability was discovered and successfully exploited. With the widespread spread of the game and the vulnerabilities being gradually revealed, the attack methods of airdrop vulnerabilities have grown more sophisticated and enhanced throughout.
The attack is made more potent by the fact that hackers are rewarded with low upfront costs and high return efficiency. Using these vulnerabilities, they can attack any kind of similar game contract on a large scale and steal Ethereum from the ecosystem.
According to our analysis, in addition to Last Winner, all of the other Fomo3D-like game contracts have been targeted. However, in terms of scale the funds stolen from Last Winner are amongst the largest.
In Last Winner, the admission funds are fully concentrated from the 2nd to the 5th day after the game starts. A huge amount of admission funds will make the game airdrop prize pool accumulate quickly, so this time is also a golden opportunity for hackers to attack the smart contract vulnerability.
To make matters worse, the Last Winner team modified the airdrop game parameters to adjust the proportion of Ethereum entering the vice prize pool from 1% to 10%.
While most game operators may use high-volume airdrop rewards to attract more users, on the other hand, it’s worth noting that future high-volume airdrop rewards could be a lead indicator of wrongdoing. This will certainly be a lead indicator attackers will use to maximize their attack earnings.
Last Winner = Hackers’ ATM!
The first round of admission to the Last Winner game amassed over 100,000 ETH. This leaves over 10,000 ETH continuously exposed to the airdrop vulnerability.
Armed with this knowledge and provided a 10,000 ETH incentive to follow through, hackers are presented with a setup that is much like shooting fish in a barrel.
By continuously leveraging airdrop loopholes and accumulating more and more ETH in the process, hackers eventually amassed enough wealth to co-opt the entire game and win the Last Winner Grand Prize Pool.
Who Is next?
On August 14th, the BAPT-LW20 hacker team’s 0x820d deployed two new versions of the attack contract again targeting another recently deployed DApp smart contract.
Timeline of BAPT-LW20:
- 2018/07/06 Fomo3D game contract online
- 2018/07/08 One developer from FOMO3D’s competitor discovers and exploits airdrop vulnerabilities
- 2018/07/20 Fomo3D game growing very popular in China
- 2018/07/20 BAPT-LW20 Hacker team activates
- 2018/07/21 BAPT-LW20 Team Successfully Utilizes Fomo3D Airdrop Vulnerability for the First Time
- 2018/07/23 BAPT-LW20 Team Attacks copycat game Mouse RatScam
- 2018/07/23 Péter breaks the Fomo3D airdrop vulnerability in Reddit
- 2018/07/24 BAPT-LW20 Hacking team attacking FoMoGame
- 2018/07/26 BAPT-LW20 Hacker team deploys new version of attack contract 0x5483
- 2018/08/06 Last Winner game goes online
- 2018/08/07 Last Winner game grows more popular
- 2018/08/07 BAPT-LW20 Hacker team starts attacking Last Winner
- 2018/08/09 Ethereum’s unconfirmed transaction volume hit a new high in the year
- 2018/08/10 BAPT-LW20 The hacker team transfers funds from the old contract and continues the attack with the new version of the contract
- 2018/08/14 BAPT-LW20 The hacker team deploys a new version of the attack contract and starts attacking a new contract
- 2018/08/17 BAPT-LW20 Hacking team wins Last Winner Grand Prize Award of 7,754 ETH
Technical Overview
The root cause of the Last Winner (Fomo3D-copycat) airdrop vulnerability is that it is difficult to generate unpredictable random numbers in Ethereum Smart Contracts.
The Fomo3D developer added the logic of “judge whether the caller is an ordinary human or a contract” in his contract to try to circumvent this issue, but this logic implementation has a loophole. Hackers use attack contracts to predict random numbers in advance and masquerade as ordinary human (non-contract) addresses by calling game contracts within the constructor, greatly increasing their chances of winning.
Péter Szilágyi, one of the leaders of the Ethereum Foundation development team, first publicly revealed the vulnerability on Reddit and gave the 1.0 version of the POC scheme on July 23 [3]. This is mainly to take advantage of these characteristics:
- The random source used by the airdrop game to control the probability of winning can be obtained in advance
- Whether the user can get the airdrop reward and the bonus can be calculated in advance in another contract to determine the subsequent manipulation logic.
- The Fomo3D airdrop mechanism is made to allow only non-contracted addresses (ordinary humans). However, there is a loophole in judging it, and the restriction can be bypassed by participating in the game during the construction of the contract (ie, in the contract construction method).
Therefore, an attacker can deploy a smart contract and calculate whether he can benefit from the contract construction method. If he can, he will invest in Ethereum to participate in the game to make a profit, otherwise he will not participate (see the figure below).
Every time the contract is deployed, a higher amount of gas is consumed, work efficiency decreases, and the profit margin decreases. Using this program to attack and launch thousands of transactions may not reap the airdrop rewards the attacker is looking for.
The attackers in questions have a better approach to avoid all of this.
Zethr developer, Etherguy, has succeeded in profiting with a more advanced approach as early as July 8 by solving some of the problems in version 1.0 above, which we call version 2.0.
The idea is to create a sub-contract through a contract cycle (figure below) until the sub-contract meets the airdrop condition to make a profit. The advantage of this is that, with sufficient gas, the contract will almost certainly yield revenue and improve productivity. However, this approach is similar to the cost of version 1.0 attack and does not substantially improve the rate of return.
BAPT-LW20, the biggest profit-seeker of this event, further optimized version 2.0 and its idea of reducing input costs and increasing profitability. Version 3.0 is, incredibly, able to create a proxy contract, pre-judge by calculating the new contract address in the next step, filtering out the qualified agent contract, creating a new sub-contract, then completing the V2.0 attack in the constructor of the sub-contract (see figure below).
Moreover, the target address of the attack can be configured. Multiple people can cooperate and attack at the same time. When the sizeof the game’s prize pool is insufficient to cover the cost of the attack it will automatically fail, preserving resources.
In our analysis of various types of vulnerable smart contracts, we also saw another more sophisticated approach: the main attack contract has a novel design model, supports dynamic replacement, and is an upgrade of core algorithms. In principle, it uses the delegate call to operate.
Attack Variable 1 — Airdrop and Mining
We know that miners usually need to do the following calculations when mining through a PoW protocol:
When the BlockHash result is less than the current difficulty value, the delegate finds a valid Nonce.
There is a similar mining mechanism in Fomo3D’s airdrop award:
The only thing a user can manipulate is the msg.sender field. Can we use msg.sender as a Nonce for mining?
The answer is yes. The address of a smart contract is determined by the initiator account + nonce, so there is the first generation method:
This method requires a user to continuously deploy the contract, however, the mining costs are very expensive and the success rate is extremely low. The winning probability each time is 1/1000.
Due to the terrifying failure rate of the first generation attack, it is obviously not usable. There is a second generation attack method:
The main idea of this approach is that the new contract address created by the smart contract is determined by the contract address + nonce:
This approach is similar to mining, fixing the blockhead, and constantly modifying the nonce to test whether the reward can be successfully won. But, the problem is that if the legal nonce is found at the 1000th loop, it means all the 999 contracts previously deployed are wasting precious gas resources.
So how do you find a legal nonce more efficiently?
Think back to Bitcoin mining, a mining mission requires not only nonce, but also extraNonce [4].
In the coinbase field of a Bitcoin block, there is a freely modified area. Modifying this area will modify the MerkleRoot so that the Header is modified to have a nonce effect. This is called extraNonce .
Why do you need to introduce extraNonce? The reason is that the nonce is a 32-bit number, the search range is only ²³², and the mining machine is traversed almost instantaneously. By constantly modifying the extraNonce to expand the local search range, we can even modify the extraNonce to mine without modifying the nonce.
Perhaps the hacker also realized this as they achieved the effect of 1000 extraNonce by deploying 1000 agent contracts in advance. At this point, the attack method has been upgraded to the 3rd generation:
Obviously, this attack method achieves 2 effects at the same time:
- Increased attack success rate
- Reduces the number of attack contract deployments and greatly reduces the consumption of gas.
Attack Variable 2 — Probability Of Winning
As mentioned above, hackers pre-deploy 1000 agent contracts. What’s the value of this number?
The seed is derived from a series of Ethereum chain and multiple Hash operations. The Hash result takes a remainder of 1000 and can get a pseudo-random number from 0 to 999.
We assume that the hash output is uniform and that the hash is anti-collision. Then, the average probability of winning each time is 1/1000.
Simulation results:
Formula operation results:
More smart contracts can provide a higher probability of winning, but gas consumption and gas limit should not be large.
AnChain.AI believes that hackers chose to deploy 1000 contracts based on the probability code 1/1000.
Attack Variable 3 — Exploiting Bugs In Airdrop Probability Calculations
Hackers are still aiming to make profits more efficiently even after discovering the flaws exposed by Fomo3D’s airdrop rule.
The attack contract needs to obtain the airdrop reward information at the beginning as a basis for subsequent operations. Therefore, the attack contract will first call the two query interfaces of the game contract, namely 0xd87574e0 airDropPot_() and 0x11a09ae7 airDropTracker_().
The airDropTracker_ of Fomo3D airdrop award is calculated as follows:
Fomo3D judges whether it is possible to get airdrop using the following methods:
According to our analysis, the 0x820d late-updated attack contract directly removes the judgment of airDropTracker_, but there are advantages and disadvantages to doing so.
About AnChain.AI
A blockchain data analytics firm providing intelligence, indicators, and investigative resources for clients to enhance their security, risk, and compliance strategies.
Feel free to reach out to us directly at: info@anchain.ai
Our products:
BEI connects wallet addresses and cryptocurrency transactions to real-world entities, allowing you to secure endpoints, quantify risk, remain KYC/AML compliant, and gain a competitive edge.
TAP produces swift, actionable insight into your day-to-day operations, providing automated alerts, anomaly detection, user profiling, and QA/QC.
CAS audits the security score of any Solidity-based smart contract, having analyzed the source code of every mainnet EVM smart contract plus the 1M + unique, user-uploaded smart contracts.
CRR pursues your adversaries throughout their digital monetization life cycle, deterring repeat and future attempts, identifying attack vectors, and minimizing financial and reputational losses to ransomware.
References
[1] Blockbeats: 80,000 transactions “sealed” the Ethereum network, just to snatch the Fomo3D award? https://mp.weixin.qq.com/s/5nrgj8sIZ0SlXebG5sWVPw
[2] Pwning Fomo3D Revealed: Iterative, Pre-Calculated Contract Creation For Airdrop Prizes!, https://peckshield.com/2018/07/24/fomo3d/
[3] Péter Szilágyi’s airdrop exploit exploits POC, https://www.reddit.com/r/ethereum/comments/916xni/how_to_pwn_fomo3d_a_beginners_guide/, 2018/07/23
[4] AsicBoost — A Speedup for Bitcoin Mining, https ://arxiv.org/pdf/1604.00575.pdf, 2016/03/31
原文链接:http://chaindd.com/3107866.html
Acknowledgements
AnChain.AI would like to acknowledge Secbit Labs and Graphistry for supporting this investigation.