$180 000 USD

MARCH 2019

GLOBAL

NKPAYMENTCAP

DESCRIPTION OF EVENTS

"On March 11, EOS DApp nkpaymentcap was attacked, and hackers successfully made a profit of 50,000 EOS, which is approximately more than 1 million yuan." "According to data monitored by PeckShield's risk control platform DAppShield, EOS DApp nkpaymentcap suffered a false transfer notification attack at around 2:30 in the morning, and lost 50,000 EOS. At the current price of EOS, the loss is about US$180,000."

 

"Fake Receipt Attack. The key feature of this attack is that the vulnerable smart contract is misled by the fake notification to receive tokens, while the actual token transfer occurs between the two accounts belonging to the same attacker (see §3.2). For simplicity, we will use from_account and to_account to represent the two accounts in the following, where to_account will send the fake receipt to vulnerable contract, and from_account is the ultimate beneficiary. Accordingly, we will first query all the transactions of token transfer whose tokens are issued by eosio.token and token symbols are “EOS”, to get all the true EOS token transfers."

 

"These transactions will be regarded as the fake receipts with crafted notifications. Next, if a from_account sends a fake receipt before making profits from the vulnerable contract, we will mark the corresponding transaction as potential. After that, by eliminating the unrelated EOS spending transactions (e.g., for testing purpose initiated by the attacker), we focus mainly on those who have gained more true EOS tokens than they spent. If the input-output ratio are still high, the corresponding transactions are labeled as suspicious. Finally, we will manually check the suspicious transactions whether the vulnerable smart contract will resume the normal execution after receiving the fake receipts. If so, we will mark such a transaction as a fake receipt attack."

 

"The attacker launched continuous attacks on EOS DApp nkpaymentcap and successfully profited 50,000 EOS. After analysis, it was found that the attacker used a fake transfer notification attack to obtain a large number of contract tokens, and then exchanged the tokens into real EOS for cash out through the DApp contract."

The EOS project nkpaymentcap was attacked through a fake receipt attack, where the token transfer was between two accounts owned by the attacker. A number of EOS smart contracts had a vulnerability where they would allow tokens to be withdrawn erroneously if an attacker sent funds to themselves. The project doesn't appear to exist at the moment, so it would not seem like anything happened to assist affected users.

HOW COULD THIS HAVE BEEN PREVENTED?

There are a number of ways to prevent and mitigate this situation. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively needed. Audits can be used to reduce the risks on the hot wallets further, and we advocate at least 2 reviews would be required prior to a project launch. Having known platform operators would ensure a best effort is made to assist them, with a comprehensive industry insurance fund as a fallback in the worst case.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.