According to transaction history highlighted by Web3 security firm, Supremacy, hackers have stolen approximately $259,800 worth of around 204 ETH in gas fee manipulation on the Ethereum Alarm Clock Protocol.
hackers strike again
Hackers have attacked Ethereum Alarm Clock, a smart contract protocol for scheduling Ethereum transactions, giving away $260,000 worth of ETH through gas fee manipulation. The first Ethereum hack was announced on Twitter by PeckShield Inc., a blockchain security and data analytics firm, on October 19, 2022, among many other updates.
whereas announcement of The attack, Peckshield said, “We have confirmed an active exploit that used huge gas prices to drive a TransactionRequestCore contract for a reward at the cost of the original owner.” According to Peckshield, hackers could profit from gas fees by exploiting loopholes in scheduled transactions on the Ethereum Alarm Clock protocol.
Taking advantage of this gap, the attackers managed to profit from gas fees, which were returned after the transaction was canceled. The bug returned much of the gas fee paid by the hackers, allowing them to collect profit.
gas fee manipulation
Ethereum Alarm Clock is a protocol that allows users to schedule upcoming transactions by setting the recipient address, the amount being sent, and the desired transaction time. Users must have the required amount of Ether (ETH) and gas fees in order to process transactions on this protocol.
To effect the hack, the attackers used the increased transaction fees to call cancel functions on their Ethereum alarm clock contracts. Due to a flaw in the protocol’s smart contract, hackers could reap large rewards from the protocol’s refund of gas fees for canceled transactions.
“Since miners get 51% profit from exploitation, MEV-Boost can afford to offer huge rewards,” Peckshield explained.
24 scam addresses identified
As of yesterday afternoon, PeckShield had only identified 24 addresses that had taken advantage of the vulnerability to earn the alleged “prize”.
Web3 ecosystem security firm Supremacy Inc. also provided an update on the hack. Referring to the Etherscan transaction history of the Ethereum alarm clock protocol, Supremacy said that at the time of writing 204 ETH worth approximately $259,800 had been stolen.
Hack Explained, Supremacy noted that the cancel function on the Ethereum protocol calculates the transaction fee as the gas used multiplied by the price of the gas to be spent with more than 85000 “used gas” and transfer it to the caller .
Hackers dig up old code
In its tweet, Supremacy Inc. described the hack as interesting, noting that the code used in the Ethereum alarm clock project was almost four years old and it was amusing that hackers dug up such old code to perform the attack.
“Interesting attack incident, the transaction request core contract is four years old, it belongs to the ethereum-alarm-watch project, this project is seven years old, the hackers actually found such old code to attack,” saw dominance.
So far, about $260,000 has been siphoned off by hackers, and it is not yet known whether the bug has been fixed and the attack has ended or is still ongoing.