Blockchain hustler beats the house with smart contract hack | Cyber Security

A wily hacker has scored a thousand dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart run by a betting company on the EOS blockchain.

EOS is a blockchain-based cryptocurrency launched by, and it is a competitor to the more established Ethereum.

Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.

contracts can do similar things to more conventional programs on the regular internet. They can run ecommerce sites, digital currency exchanges, and games. In this case, a Maltese company called DEOS Games was using the EOS blockchain to run a gambling game.

Customers send a quantity of the EOS cryptocurrency over the network to DEOS smart contracts running Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, it sends them their winnings and their original stake.

These blockchain betting shops use cryptographic techniques to prove that the contracts are fair and that they’re not just taking your money. In fact, DEOS goes so far as to promise “no house advantage”. That couldn’t have been more true in the case of runningsnail.

Runningsnail is an EOS user who figured out a way to hack a DEOS smart contract, and thanks to the wonder of the EOS block explorer – a system that lets people see transactions on its blockchain – the internet got a front row seat.

On 9 September, the user’s account shows several small transactions in which DEOS Games sent winnings to runningsnail, beginning at 6:24am west coast time. These continued for a few minutes, culminating in a transaction of 16.4 EOS at 6:32am. This was just a warm-up before the fun really started.

Shortly afterward came a series of similar transaction exchanges. Runningsnail would transfer 10 EOS to thedeosgames, and would promptly receive 197 EOS in winnings. This happened 24 times, for a grand total of 4728 EOS, not including the first few exploratory transactions. Given the price of EOS at the time of the heist – around $5.13 – that means runningsnail stole about $24,250.

DEOS Games confirmed the hack the next day:

This highlights a problem with smart contracts. Unlike other software, which deals with symbols representing money, the data that they send around the network is actually money. When it’s sent, no bank has to follow up and settle it later. It’s gone, whisked off to someone’s anonymous account – whoosh – and you don’t get it back. So the stakes are high when dealing with security flaws in smart contracts.

Runningsnail’s smart contract interacted with the DEOS Games contract, but included malicious code that made the DEOS contract do something it shouldn’t.