Hack back: Attackers fall for Ethereum booby trap

Those exploiting weaknesses in smart contracts face being hacked themselves

Cryptocurrencies have become a prime target for cyber-attacks, with assailants stealing millions of dollars through vulnerable contracts and with bugs that can manipulate the blockchain.

But now these crypto thieves are being outsmarted, falling for traps laid carefully by hackers and causing their burglary plans to backfire.

‘Jazzy’, a 17-year-old web security researcher, first noticed a booby trap found within Ethereum smart contracts while inspecting those compiled on a blockchain explorer – a public site that allows users to upload and verify contracts for digital transaction.

“Ethereum runs code written in a language known as solidity,” he told The Daily Swig. “Some people write code in that language, making it look vulnerable and easily hackable.

“When an attacker tries to hack it, the code has some hidden functionality, which is not easily distinguishable, and so it doesn't work in the way it was supposed to.”

Smart contracts, used to facilitate the exchange of cryptocurrencies like Ethereum, hold value in their ability to create bespoke deals – like creating a contract that requires multiple people to sign onto.

The fluidity of this creation, however, can mean that mistakes are inevitably made in the smart contract’s coding.

This vulnerability – paired with the lack of oversight and finality of transactions – can be leveraged by fraudsters, who can steal some, if not all, of the contract’s worth.

Spotting what looks like an exploitable error in the code is what entices an attacker to land in the booby trap.

“An attacker is basically expecting the contract to send them all the Ethereum stored in it,” explained Jazzy.

“It [the contract] appears vulnerable, and so the attacker believes that it will.”

For the trap to work, attackers must send the contract owner some of their own Ethereum – anywhere between 1-5 ETH, up to an approximate $2,670, according to Jazzy.

Other researchers who have started to look into this new trend have found these contracts to have an initial balance of between 0.5 and 1 ETH.

By sending over some funds, an attacker believes that they will be able to withdraw the entire value of the contract and reclaim their original offering.

What happens instead is that the full amount, including the attacker’s money, is transferred to the original contract owner.

“I don’t think anybody else can be affected by this except the attackers,” said Jazzy, noting how it would be highly possible to find similar traps within other cryptocurrencies.

“This is a case of hackers getting hacked by smarter hackers.”

Jazzy has discovered four different types of contracts that have booby traps, ranging from low-level to highly sophisticated attacks, he said.

“I was live tracking this one booby trap and I saw it stealing three ether in less than six hours,” said Jazzy, who has detailed his research in a blog post.

He added: “Although I think now people have realized about these booby traps and they're starting to be more careful.”

While some critics have condemned the deployment of ‘hacking back’, its presence in the unregulated crypto space, where crime can run rampant, is perhaps a welcomed evolution to those operating honestly and fairly.