“According to reports, a flaw in the smart contract code for the Ethereum Alarm Clock service has been exploited, resulting in the theft of nearly $260,000 from the protocol thus far” [Sharma, R. $260K gas fees stolen following the Ethereum Alarm Clock exploit. (Accessed October 20, 2022)].
The Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the receiver address, sent amount and desired time of transaction. Users must have the required Ether on hand to complete the transaction and need to pay the gas fees upfront. According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process, which allows them to make a profit on returned gas fees from canceled transactions.
[Quarmby, B. Ethereum Alarm Clock exploit leads to $260K in stolen gas fees so far. (Accessed October 20, 2022)].
Simply put, the attackers used inflated transaction fees to call cancel functions on their Ethereum Alarm Clock contracts. A flaw in the smart contract has been allowing the hackers to pocket the difference between what they initially paid and what the protocol refunds in gas fees for canceled transactions. They have established an active exploit that takes advantage of skyrocketing gas prices in order to rig the TransactionRequestCore contract in exchange for a reward at the expense of the original owner. The exploit actually gives the miner 51% of the profit, which is why the MEV-Boost reward is so big, the company wrote.
[Sharma, supra]
“PeckShield added at the time, it had spotted 24 addresses that had been exploiting the bug to collect the supposed ‘rewards.’ Web3 security firm Supremacy Inc also provided an update a few hours later, pointing to Etherscan transaction history that showed the hacker(s) were so far able to swipe 204 ETH, worth roughly $259,800 at the time of writing. ‘Interesting attack event, TransactionRequestCore contract is four years old, it belongs to ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,’ the firm noted” [Quarmby, supra].
At present [October 20, 2022 @ 18:22 ET] “there has been a lack of updates on the topic to determine if the hack is ongoing, if the bug has been patched or if the attack has concluded” [Id].
“This month has been rife with hacks, despite the fact that October is typically a month of bullish action. A Chainalysis report from October 13 states that hackers had already stolen $718 million in October, making it the most active month in 2022” [Sharma, supra].
.png)