A hacker trying to hack a hacker was hacked by the hacker he was trying to hack in an ethereum smart contract cat and mouse game, honey pots and pots of honey.
An ethereum coder says he was whistling around smart contract land when he saw a bug similar to the one that got the DAO hacked.
But unlike the millions the DAO had, this one was hosting only one eth that on the surface seemed “vulnerable to a Rentrancy attack,” the hacker says before further adding:
“Beauty!”, I thought. “I can have some fun and try out this hack, and give the funds back to the contract creator later. There’s 1 ETH in there, so it should be a fun challenge, maybe do a victorious blog post later.”
Of course he was going to give back the one eth. We do not doubt it for one second. So the smart kid went off writing the exploit code, testing it on testnet, then:
“It didn’t work! The Eth got stuck in his contract. I was shocked, how’s it possible?” He tried again but same result. Schucks – his words.
“The ETH was transferred to his contract, then two transfers showing as going to my exploit contract, however it didn’t get anything,” our cute bunny says.
The smart contract had hacked the hacker in probably the very first instance of such case by containing a “check the incoming address” function.
“If it is the owner of the honeypot, it will just return and not consume much gas. If it is anyone else, e.g. you, it will run in an infinite loop to expend all your gas,” an eth developer says.
All that was hidden in the constructor, which is sort of a metadata function to name your contract and can only run once when the smart contract is created. The hacker says:
“The source code being displayed as part of the ‘verified’ contract is kind of like an illusion of a magician’s trick. I’ve actually noticed that the constructor needed the address to the log contract, but didn’t think much of it & didn’t follow up to see what address it was actually pointing to, was in a hurry to execute it before anyone else found this ‘exploit’. In hindsight, it’s so obvious.”
We do not know who was smart enough to create this smart contract, but the hacker and the hacked could be the same person, so hacking us to write about the hacker hacking in a hacked PR stunt.
Yet, as funny as we’ve tried to make this story, there is a clear lesson here kids. When trying to hack hackers, which is probably most of smart contract writers, just be careful you do not get hacked by the hacker you are trying to hack.
And for the rest, as innocent or simple as those solidity lines might seem, they can be very much a minefield, so make sure to buckle down and put on a bunker’s hat when coding them in these pioneering realms.