Ethereum Alarm Clock exploit leads to $260K in stolen gas fees so far

A bug in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with nearly $260,000 said to have been swiped from the protocol so far.

The Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the receiver address, sent amount, and desired time of transaction. Users must have the required Ether (ETH) on hand to complete the transaction and need to pay the gas fees upfront.

According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process which allows them to make a profit on returned gas fees from canceled transactions.

In simple terms, the attackers essentially called cancel functions on their Ethereum Alarm Clock contracts with inflated transaction fees. As the protocol dishes out a gas fee refund for canceled transactions, a bug in the smart contract has been refunding the hackers a greater value of gas fees than they initially paid, allowing them to pocket the difference.

“We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of the original owner. In fact, the exploit pays 51% of the profit to the miner, hence this huge MEV-Boost reward,” the firm wrote.

We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of original owner. In fact, the exploit pays the 51% of the profit to the miner, hence this huge MEV-Boost reward. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp

— PeckShield Inc. (@peckshield) October 19, 2022

PeckShield added at the time, it had spotted 24 addresses which had been exploiting the bug to collect the supposed “rewards.”

Web3 security frim Supremacy Inc also provided an update a few hours later, pointing to Etherscan transaction history that showed the hacker(s) were so far able to swipe 204 ETH, worth roughly $259,800 at the time of writing.

“Interesting attack event, TransactionRequestCore contract is four years old, it belongs to ethereum-alarm-clock project, this project is seven years old, hackers actually found such old code to attack,” the firm noted.

2/ The cancel function calculates the Transaction Fee (gas uesd * gas price) to be spent with the "gas used" over 85000 and transfers it to the caller. pic.twitter.com/aXyad0oDPv

— Supremacy Inc. (@Supremacy_CA) October 19, 2022

As it stands, there has been a lack of updates on the topic to determine if the hack is ongoing, if the bug has been patched, or if the attack has concluded. This is a developing story and Cointelegraph will provide updates as it unfolds.

Despite October generally being a month associated with bullish action, this month so far has been rife with hacks. According to a Chainalysis report from Oct. 13, there had already been $718 million stolen from hacks in October, making it the biggest month for hacking activity in 2022.

Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects   July 9, 2021
Smart contract exploits are more ethical than hacking... or not?   April 18, 2021
Multichain recovers $2.6M stolen funds, to reimburse losses on condition   Feb. 19, 2022
Can Web3 be hacked? Is the decentralized internet safer?   Aug. 21, 2022
Wintermute inside job theory 'not convincing enough' —BlockSec   Sept. 28, 2022