It has been reported that almost $260,000 has been siphoned off of the Ethereum Alarm Clock protocol as a result of a vulnerability in the smart contract code.
By setting the recipient address, transmitted value, and intended time of the transaction in advance, users of the Ethereum Alarm Clock can plan out future transactions. Users must pay the upfront gas costs and have the requisite Ether on hand in order to complete the transaction.
According to a tweet from the blockchain security and data analytics company PeckShield on October 19, the attackers effectively used inflated transaction fees to exploit the cancel functions on their Ethereum Alarm Clock contracts.
Due to a flaw in the smart contract, the protocol has been reimbursing the hackers’ gas fees at a higher amount than they originally paid, giving them the opportunity to keep the excess.
The company has confirmed an active exploit that uses the high gas prices to cheat the TransactionRequestCore for reward at the expense of the original owner. In fact, the miner receives 51% of the profit from the exploit, which explains the massive MEV-Boost return.
At the time, PeckShield stated that it had discovered 24 addresses that had been abusing the vulnerability to obtain the purported “rewards”.
A few hours later, Web3 security company Supremacy Inc. also released an update, citing the Etherscan transaction history to demonstrate that the hacker(s) had so far been successful in stealing 204 ETH, valued approximately $257,205 at time of writing.
The TransactionRequestCore contract — which is four years old and is a part of the seven-year-old Ethereum-alarm-clock project — was the target of an unexpected attack, the firm said.