Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
BetHash's betting game mechanism allows players to guess the ratio of the number between 0-100 and the random number given by the system to win the bonus of the corresponding odds. The smaller the bet number, the greater the odds. Every time a player makes a bet, the dicereceipt() function of the BetHash smart contract will be called to notify the player's account. At this point, the hacker can control the malicious program to hijack the notification and embed the inline operation to implement the attack. Although the attacker also needs to pay a certain amount of bet for every attack, as long as it keeps 0.1 EOS and is conservative Attack method (per SlowMist): Malicious Code Injection Attack. Reported loss: -.
- chain
- —
- protocol
- BetHash
- bug_class
- unknown
- date_occurred
- 2019-11-07
- loss_usd
- —
- source_id
- sm:bethash::2019-11-07