A hacker trying to hack a hacker was hacked by the hacker he was trying to hack in an ethereum smart contract cat and mouse game, honey pots and pots of honey.
An ethereum coder says he was whistling around smart contract land when he saw a bug similar to the one that got the DAO hacked.
But unlike the millions the DAO had, this one was hosting only one eth that on the surface seemed “vulnerable to a Rentrancy attack,” the hacker says before further adding:
“Beauty!”, I thought. “I can have some fun and try out this hack, and give the funds back to the contract creator later. There’s 1 ETH in there, so it should be a fun challenge, maybe do a victorious blog post later.”
Of course he was going to give back the one eth. We do not doubt it for one second. So the smart kid went off writing the exploit code, testing it on testnet, then:
“It didn’t work! The Eth got stuck in his contract. I was shocked, how’s it possible?” He tried again but same result. Schucks – his words.
“The ETH was transferred to his contract, then two transfers showing as going to my exploit contract, however it didn’t get anything,” our cute bunny says.
The smart contract had hacked the hacker in probably the very first instance of such case by containing a “check the incoming address” function.
“If it is the owner of the honeypot, it will just return and not consume much gas. If it is anyone else, e.g. you, it will run in an infinite loop to expend all your gas,” an eth developer says.
All that was hidden in the constructor, which is sort of a metadata function to name your contract and can only run once when the smart contract is created. The hacker says:
“The source code being displayed as part of the ‘verified’ contract is kind of like an illusion of a magician’s trick. I’ve actually noticed that the constructor needed the address to the log contract, but didn’t think much of it & didn’t follow up to see what address it was actually pointing to, was in a hurry to execute it before anyone else found this ‘exploit’. In hindsight, it’s so obvious.”
We do not know who was smart enough to create this smart contract, but the hacker and the hacked could be the same person, so hacking us to write about the hacker hacking in a hacked PR stunt.
Yet, as funny as we’ve tried to make this story, there is a clear lesson here kids. When trying to hack hackers, which is probably most of smart contract writers, just be careful you do not get hacked by the hacker you are trying to hack.
And for the rest, as innocent or simple as those solidity lines might seem, they can be very much a minefield, so make sure to buckle down and put on a bunker’s hat when coding them in these pioneering realms.
Related posts
Bitfinex Pays $23 Million ETH Fee on $100,000 USDt Transfer
September 27, 2021 2:32 pm
Ethereum on Exchanges Plunges to 16%
September 27, 2021 1:43 pm
dYdX Overtakes Coinbase in Trading Volumes
September 27, 2021 11:36 am
marjor jackson March 16, 2018 at 7:11 am
Haha, how he was feeling at that time, this sounds interesting. at least he felt for a while that how do people feel when they do same with innocent people. Get help with Bitdefender customer service for Bitdefender antivirus
jameslamber June 1, 2018 at 6:17 pm
i am 100% proud to say i have made more than $50000 from these softwares introduced to me by mastermindhackers16@gmail.com
Hack News April 13, 2019 at 12:15 am
That must have been a nice learning experience for him 🙂