Supremacy, a Web3 security business, highlighted Etherscan transaction history, which revealed that the hacker(s) were able to pilfer 204 ETH in gas fees so far, totaling $259,800.
A flaw in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with approximately $260,000 allegedly stolen from the protocol thus far.
The Ethereum Alarm Clock allows users to schedule future transactions by predetermining the recipient address, sending amount, and transaction time.
For instance, to complete the transaction, users must have the needed Ether (ETH) on hand as well as pay the gas expenses ahead.
According to a tweet from blockchain security and data analytics startup PeckShield on Oct. 19, hackers were able to exploit a weakness in the planned transaction process, allowing them to profit from recovered gas fees from canceled transactions.
Simply enough, the attackers executed cancel methods on their Ethereum Alarm Clock contracts with exaggerated transaction costs.
As the protocol refunds gas fees for canceled transactions, a glitch in the smart contract has been refunding the hackers more gas fees than they originally paid, letting them to pocket the difference.
Supremacy Inc, a Web3 security business, also issued an update a few hours later, pointing to Etherscan transaction history, which showed the hacker(s) were able to pilfer 204 ETH, worth around $259,800 at the time of writing.
“Interesting attack event, the TransactionRequestCore contract is four years old, it belongs to the Ethereum-alarm-clock project, which is seven years old, hackers really located such old code to attack,” the business observed.