$260,000 Worth of ETH Stolen From the Ethereum Alarm Clock Protocol
Hackers have stolen about 204 ETH in a Gas Fee manipulation on the Ethereum Alarm Clock Protocol valued at approximately $259,800, according to the transaction history highlighted by the Web3 security firm, Supremacy.
Hackers Strike Again
Hackers have attacked the Ethereum Alarm Clock, a smart contract protocol for scheduling Ethereum transactions, carting away up to $260,000 worth of ETH via gas fee manipulation. Amidst several other updates, the Ethereum hack was first announced on Twitter by PeckShield Inc., a blockchain security and data analytics firm, on the 19th of October, 2022.
While announcing the attack, PeckShield stated, “We’ve confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of the original owner.” According to PeckShield, the hackers could profit from gas fees by taking advantage of a loophole in scheduled transactions on the Ethereum alarm clock protocol.
By exploiting this gap, the attackers managed to profit from gas fees, which were returned after canceling transactions. The bug returned greater value of gas fees than hackers have paid, allowing them to collect a profit.
The Gas Fee Manipulation
The Ethereum Alarm Clock is a protocol that allows users to schedule upcoming transactions by setting the recipient’s address, the amount being sent, and the desired transaction time. Users must have the necessary amount of Ether (ETH) and gas fees to process a transaction on this protocol.
To effect the hack, the attackers utilized inflated transaction fees to call cancel functions on their Ethereum Alarm Clock contracts. Due to a flaw in the protocol’s smart contract, hackers could gain large rewards from the protocol’s refund of gas fees for canceled transactions.
“Since the miner receives 51% of the gain from the exploit, MEV-Boost can afford to offer a much larger reward,” explained PeckShield.
24 Scam Addresses Identified
As of yesterday afternoon, PeckShield had identified only 24 addresses that had taken advantage of the vulnerability to earn the purported “rewards.”.
Web3 ecosystem security firm Supremacy Inc. also provided an update on the hack. Referencing the Etherscan transaction history of the Ethereum Alarm Clock protocol, Supremacy stated that 204 ETH, worth about $259,800 at the time of writing, had been stolen.
Explaining the hack, Supremacy noted that the cancel function on the Ethereum protocol calculates the Transaction Fee as the gas used multiplied by the gas price, which is to be spent with the “gas used” over 85000 and transfers it to the caller.
Hackers Dig Up Old Code
In its tweet, Supremacy Inc. described the hack as interesting, noting that the code used in the Ethereum alarm clock project was about four years old and that it was amusing that the hackers had dug up such old code to attack.
“Interesting attack event, Transaction Request Core contract is four years old, it belongs to ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,” Supremacy observed.
So far, approximately $260,000 dollars have been carted away by hackers, and it is not yet known if the bug has been fixed and the attack has ended or is still ongoing.