On the 22. August, someone has won the first round of Fomo3D. An analysis of SECBIT Labs shows that behind this victory, a controlled attack on the game.
Even if it happened over a week ago, it is worth taking a more detailed look: On 22. August 2018 an Unknown won the first round of Fomo3D and almost 10.500 Ether. This corresponds to the current price of about $ 3 million.
Everything points to the fact that the winner was not a regular participant, but the various Tricks used to manipulate the game in his favor. SECBIT Labs have examined the strategy behind the address 0xa169df5ed3363cfc4c92ac96c6c5f2a42fccbf85 the winner’s/Hackers more closely. The Details behind the win of the first round of Fomo3D read like a cyber crime, in a big scammers manipulated a game/snow-ball system.
Fomo3D works?
BTC-ECHO has described Fomo3D in an article shortly. The rough game as the “game of greed”: A Timer counts down. During this countdown, players can buy a “Private Key”. With each purchase, these Keys are more expensive. However, if for a certain period of time no purchase takes place, or a global Countdown is over, those who bought the last Key, 48 percent of the stored Ether. The Rest is divided between different Teams, for different strategies. Who would like to learn more about the rules, please refer to the Wiki of Fomo3D.
track search on the Blockchain
thanks to the transparency of the Ethereum block Chain, the victory of the entity is behind the address 0xa169df5ed3363cfc4c92ac96c6c5f2a42fccbf85 easy to understand. Interesting for us is the development of between 6:48 and 6:50 22. August 2018.
The corresponding blocks on the Ethereum block Chain, Block 6191898 and 6191908, are unusually small. They contain an average of 14 transactions – much less than the 100 transactions, which make it an average of every 15 seconds in a Block.
In contrast, the blocks of the transaction include fees of, an average of 21 dollars, which is almost four times as high as the all-time high at the beginning of 2018. The attacker has so consciously initiate transactions with high fees.
That alone would be for many a Miner, a Honeypot, which holds fast a few, but lucrative transactions to a Block and this in front of other miners worked on. Using ether scan can, however, confirm that the relevant blocks of different miners were gemint. Some of the successful Miner’s savings pool, BitClubPool, nano pool, or ether mine.
We can see on the Blockchain that all the relevant transactions were, indirectly, to the winner of Fomo3D; in between a Smart Contract was switched. The source code of this, unfortunately, is not visible, but you can guess what the Smart Contract act. SECBIT Labs suspects that the Smart Contract led two functions.
A Block behind the Contract of the hacker
For one, he to handle to a function behind Fomo3D: getcurrent round info (), you can receive information, such as the end of the round or the last buyer.
With these transactions, it is even more strange: they beat all of the to fail. In addition, the Gas Limit is always exhausted. Apparently, the Smart Contract applied to the second Trick, with the Block Limit, which the respective Miner requirements, could quickly be achieved. It is known that the Solidity command, assert(), especially if this leads to an error, the amount of Gas needed. Since this leads to the error “Bad Instruction” or 0xfe Opcode, can you confirm that all of the failed transactions, assert() is used.
we Summarize: The attacker was able to estimate getcurrent info (), just as currently the Deadline is, and whether it is the currently last Key-buyer. About the abuse of the assert () function blocks could be in relation to the gas quickly filled. When the time came to an end and the last buyer was the aggressor, the Gas Limit of the blocks as described above is achieved by Manipulation. By multiple Apply, the attacker could speed up the game and the probability of winning for himself extremely high manipulate.
to the Extent that it was quite awesome. So awesome that the Smart Contract was also used in other such Games, such as Super Card. Also Last Winner shows similar abnormalities, however, would be beyond the scope of this.
Lessons Learned after Fomo3D
In the case of Games with strong snow ball-character as Fomo3D or Last Winner to fit it, cynically viewed, that the winner won by unfair means. In addition, the sophistication of the hackers indicates both the opportunities and risks of Smart Contracts, especially if these interact with each other.
In March, we discussed a study according to which three percent of all Smart Contracts security vulnerabilities. In the linked article, it was pointed out that you can pay attention to phrases such as xxx is yyy, and particularly skeptical should be in the case of Smart Contracts in the Opcode or Bytecode, that is to say they should not be in Solidity. As regards the developments in the context Fomo3D and similar Games, this also means that you should make use of other Smart-Contract-based games. The most important additional Lesson learned is that one should observe the behavior of the players more precisely. Thanks to the transparency of the Blockchain, such as SECBIT shown is also possible.