Ethereum Alarm Clock exploit leads to $260K in stolen gas fees so far

cointelegraph.com:

A bug in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with nearly $260,000 said to have been swiped from the protocol so far.

The Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the receiver address, sent amount, and desired time of transaction. Users must have the required Ether (ETH) on hand to complete the transaction and need to pay the gas fees upfront.

According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process which allows them to make a profit on returned gas fees from canceled transactions.

In simple terms, the attackers essentially called cancel functions on their Ethereum Alarm Clock contracts with inflated transaction fees. As the protocol dishes out a gas fee refund for canceled transactions, a bug in the smart contract has been refunding the hackers a greater value of gas fees than they initially paid, allowing them to pocket the difference.

“We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of the original owner. In fact, the exploit pays 51% of the profit to the miner, hence this huge MEV-Boost reward,” the firm wrote.

We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of original owner. In fact, the exploit pays the 51% of the profit to the miner, hence this huge MEV-Boost reward. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp

PeckShield added at the time, it had spotted 24 addresses which had been exploiting the bug to