The Ethereum Alarm Clock service has fallen victim to the latest Hacktober exploit resulting in losses worth $260,000.
PeckShield Reports Alarm Clock Attack
Around $260,000 worth of ETH was siphoned off when hackers exploited a bug in the smart contract code for the Ethereum Alarm Clock service. The news was first brought to the public eye by blockchain security and data analytics company PeckShield, which revealed that hackers had managed to manipulate a loophole in the scheduling code, allowing them to profit from returned gas fees on canceled transactions. Currently, the protocol can be employed for scheduling future transactions by entering a receiver address, the amount of funds to be transferred, and the time of the transaction. Users must keep the necessary amount of Ether to pay gas fees for the transaction upfront. In the case of canceled transactions, the deducted gas fees are refunded to the originating wallet.
Exploit Mechanism Explained
The exploit mechanism can be summed up as attackers calling cancel functions on their Ethereum Alarm Clock contracts with inflated transaction fees. A bug in the smart contract has been refunding the perpetrators a higher value of gas fees than what they initially paid. PeckShield reported that 51% of this bloated refund was paid out to miners, thus increasing their Miner Extractable Value (MEV).
The firm tweeted,
“We’ve confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of original owner. In fact, the exploit pays the 51% of the profit to the miner, hence this huge MEV-Boost reward.”
According to another security firm, Supremacy Inc., the exploit has resulted in a loss of around 204 ETH.
2022 has already seen a record number of DeFi hacks. The Alarm Clock attack is the latest in a long line of protocol hacks that have exploited bugs in smart contract codes, especially in the month of October, which is also being dubbed as Hacktober. Most recently, Moola Market was hacked for $9 million by manipulating the price of the lending protocol’s native MOO token by purchasing $45,000 worth of the token and depositing it as collateral to borrow CELO tokens. Thankfully the hacker returned most of the funds while retaining $500,000 as a bug bounty. Other protocols that were exploited this October include the BitKeep Wallet and DeFi protocol Sovryn, which both lost around a million dollars each. However, the most noteworthy is the Mango Markets hack, which resulted in funds worth $117 being siphoned off from the lending platform in the second week of Hacktober.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.