EOSPlay Hacker Turns $1k into $120k

Reading Time: 2 minutes

A hacker has exposed a bug in EOSPlay, EOS’s gambling dApp, which has allowed them to turn 300 EOS tokens into 30,000, congesting the network and increasing the questions over the readiness of dApps in the public domain. The hack, which seems to have subsided following its exposure, follows the twin hacks of the EOSBet dApp last year and illustrates how much work needs to be done to shore up such applications before they achieve widespread adoption.

Larimer Blames EOSPlay Developers

EOSPlay has a small selection of basic games including Baccarat, Dice, and an EOS lottery, and the hacker used REX, an exchange where users can lease and borrow CPU and RAM which is central to the EOS blockchain, to borrow a huge amount of resources. He then used these to exploit one or more games, allowing him to win with every roll of the dice. By the time the hack was revealed in Cryptoslate, the user, mumachayinmm, had amassed 30,000 EOS tokens, worth $120,000 at present.

EOS creator Dan Larimer responded to criticism over another attack on the EOS system by stating that “the network didn’t freeze for token holders” and that the EOS system was “operating correctly”, laying the blame squarely at the feet of EOSPlay:

Lesson learned here is don’t design contracts that depend upon extra bandwidth available during uncontested mode. The eosplay contract should have a low cpu action to pause execution available to contract maintainers.

Larmier also likened playing at EOS to, “Like buying a lottery ticket, winning, and getting stuck in traffic while your redemption window closes” given the design of the EOSPlay contract.

Hack is Suggestive of Deeper Problems

Larimer can try to push the blame on the third-party contracts all he likes, but the fact is that yet another EOS dApp has exploited the fundamental design of the platform. It was revealed last year that more than $1 million worth of EOS tokens had been lost to hackers in the second half of the year, suggesting that either something is seriously wrong with the platform at its core, or dApp designers are not being educated enough on the ins and outs of how to secure their applications. However, the hack didn’t have an impact on the price of the EOS token which enjoyed a near double-digit gain over the weekend, which adds more fuel to the fire that demand for the EOS token is increasing, although no one quite knows who’s behind it.