ໂມງປຸກສັນຍາສະຫມາດທີ່ຖືກນໍາໃຊ້ໃນ Ethereum: ການພັດທະນາເລື່ອງ

ຕັນລະບົບຕ່ອງໂສ້ ຄວາມປອດໄພ firm PeckShield published the details of a new ຄ່າ ທຳ ນຽມການເຮັດທຸລະ ກຳ refund exploit on the TransactionRequestCore smart contract belonging to the Ethereum Alarm Clock Project.

At press time, almost 24 hackers had looked to rob transaction owners by calling the transaction cancel function.

Smart contract refunds drained

The transaction fee then sent to the caller was very high compared to what the original transaction owners would have received if they requested the refund.

As can be seen above, the purpose of the cancel function is to compute the owner’s gas cost and add a constant of 85,000 to that amount to refund them.

Consequently, the hacker does not need to use more than 70,355 in gas to receive a refund greater than the original transaction fee. After that, they can pocket the difference.

Accordingly, one Twitter user, pyggie9, tweeted:

So the exploit is to call with an extremely high gas price, just high enough so that the oversized refund uses up all but a little dust in the contract.
— Pyggie (@pyggie9) ຕຸລາ 19, 2022

ອີງຕາມ PeckShield, 51% of the bloated refund is paid out as profit to miners, increasing their Miner Extractable Value (MEV). So far, one of the beneficiaries has been an Ethereum validator using the liquid staking pool Lido Finance. Etherscan data reveals that the validator has reportedly ໄດ້ຮັບ $158,000 (121 ETH) from contract 0xbb1d6b3be1396a4b5ccb8d061b302250bb2b73fd at block 15,782,459.

According to security company Supremacy Inc., hackers have stolen 204 ETH so far.

Miner extractable value refers to miners arranging transactions in blocks to maximize their profits. An accepted way to improve Mev returns is through a proposer/block-builder separation. A proposer in the Ethereum Virtual Machine can earn a tidy sum for sending blockspace to a cohort of reliable block builders.

Alarm clock operation

ໄດ້ ໂມງປຸກ Ethereum project contains Ethereum transactions scheduled to occur at a future date. Transactions can be scheduled by people or smart contacts. Additionally, the EAC will enable TimeNodes to call transactions during a certain time frame.

The TransactionRequestCore smart contract involved in this latest exploit is four years old.

ຕາມທີ່ຜ່ານມາ ບົດລາຍງານ by research company Token Terminal, ການຂູດຮີດສັນຍາສະຫຼາດ are not easy to fix.

This hack is still active, and updates will be added soon.

ສໍາລັບ Be[In]Crypto ຫລ້າສຸດ Bitcoin (BTC) ການວິເຄາະ, ກົດບ່ອນນີ້

ຂໍ້ສັງເກດ

ຂໍ້ມູນທັງ ໝົດ ທີ່ມີຢູ່ໃນເວບໄຊທ໌ຂອງພວກເຮົາແມ່ນຖືກເຜີຍແຜ່ດ້ວຍຄວາມຈິງໃຈແລະເພື່ອຈຸດປະສົງຂໍ້ມູນທົ່ວໄປເທົ່ານັ້ນ. ການກະ ທຳ ໃດໆທີ່ຜູ້ອ່ານປະຕິບັດຕາມຂໍ້ມູນທີ່ພົບໃນເວບໄຊທ໌ຂອງພວກເຮົາແມ່ນມີຄວາມສ່ຽງຂອງພວກເຂົາເອງ.

Source: https://beincrypto.com/alarm-clock-smart-contract-exploited-on-ethereum-developing-story/