The Fairwin contract, which had accumulated $125 million, was cleared. Will you dare to play after three days of restarting?

Fairwin is a gaming platform, one of the largest contracts on the Ethereum network. According to ETH Gas Station, in the past 30 days, this platform has consumed 51% of the Ethereum gas, the driving force of the gas Ethereum network. The stable currency network Tether was previously accused of consuming a large amount of gas, while Fairwin consumed almost twice as much as Tether.

Smart contract

Fairwin claims to be a fair gaming platform. Users bet on the most basic hit games, such as tossing coins and rolling dice. In the process, 4% of the money you pay for ecological construction, Fairwin said the funds will be returned to investors. But many security researchers believe the whole incident is a scam. Over the past few weeks, white hat hackers have disclosed vulnerabilities in Ethereum's Fairwin contract that put millions of dollars in user funds at risk. According to analysis by Ethereum developer Philippe Castonguay, Fairwin received a total of 687,598 ETH, or about $125 million. But as of Monday this week, all the funds in the contract have been drained.

It is unclear whether the funds were drained because the contract owner had absconded with the money, or because the white hat hackers successfully raised the vigilance of Fairwin, which led investors to withdraw all funds. A message on the Fairwin website said that the company expressed "strong condemnation" of "false news reports" and said it would restart the game within the next three days. Daniel Luca, a security auditor who helped identify the vulnerabilities, said the owner of the contract managed to withdraw most of the money before the investor could withdraw. But "it is impossible for everyone to withdraw funds. Some people have suffered losses as a result."

Earlier this month, white hat hackers began to notice the project and have been researching it. Clement Lesaege, chief technology officer of blockchain startup Kleros, learned about the project in a telegraph group about Ethereum security. A vulnerability he disclosed indicates that the contract is unsustainable; the more money people invest, the more dividends are. The higher. But the problem is: once new investors no longer put money in, the contract can't pay the participants, and eventually everyone loses everything. The hottest apps on the Ethereum blockchain in September look and feel like Ponzi schemes.

A few days ago, a white-hat hacker discovered a vulnerability that could cause contract operators to steal user funds. As Lesaeege wrote:

“Rewards, dividends, and prizes can only be issued by the operator. Operators can choose which users to reward. Operators can perform rewards for accounts they control without performing rewards from other users, thereby stealing funds from contracts. ""

Lesaege said the contract also implemented a "frontrunner attack." Based on the rules of the Fairwin contract, investing in this contract will generate a code for the referral program. But Fairwin's bonus is always given only to the first redemption code. Lesaege said that an attacker who scams a victim can easily figure out the invitation code:

"In your memory pool before your transaction is executed, an attacker can see your invitation code and steal your invitation code."

In the end, the victim's investment reward will be taken away by the attacker.

This means that all funds in the contract are at risk. In the past few days, white hat hackers have been circulating news about Fairwin, which they believe is the majority of users on the platform. In any case, the funds held by this contract have already been zero: Ten days ago, there were still $10 million in this contract. It is now 0.

Fairwin's unfairness

In January 2018, Fairwin began developing a gaming platform. But in December, the team announced on Twitter that they had not raised enough funds for the ICO and therefore abandoned the project. But in July 2019, although no announcement was made on any of Fairwin's social media channels, a Fairwin clone launched a new contract that has since become a major problem for the Ethereum network. Since then, the funds in the contract have grown to a peak of $10.5 million.

We can hardly judge the identity of the operator. The enquiry emails were returned and Fairwin's Twitter was closed a year ago. The company's office in London is now a coffee shop. A few days ago, the team members on the Fairwin website were still professional. It has now become a cartoon doll.

We have reason to believe that this is not the first Fairwin team. First of all, Fairwin's white paper is a mess that was translated by Google. The relevant text bytes are selected as follows:

"Ethernet fang-based FW underlying technology chain… Based on blockchain technology, FW will achieve global gambling industry circulation, breaking data islands and digitizing global asset flows."

Fairwin's promotional video narration is computer-synthesized, with no real voice.

The code is equally confusing. Experts say that their code is useless garbage, and many can't run at all. Lesaege said:

"This is the worst quality code I have ever seen (I have seen a lot of very bad contracts, obviously not comparable to this)."

He said that the code for this contract does not have any comments – this is a common feature in the code base – the names are all misspelled, and many of the code does not work at all.

Security researcher Harry Denley created a chart that looked up Fairwin data, and he found that the six administrator addresses required a lot of money to guarantee the contract method. why? Because this month is "worsely written," the cost of these method calls can be as high as $30. “There are several calls a day,” he said.

We still can't find the answer: Is Fairwin created by evil genius? They destroyed most of the Ethereum blockchain and plundered it. Or Fairwin is a Ponzi scheme, the code is bad, and another scam that uses a night of wealth to make a profit?

Lesaege said he reported to the Fairwin team last Saturday after he discovered the vulnerability.

"The simplest and most likely explanation is that their code is too bad."

"Because FairWin has had some vulnerabilities in the past, but it has been fixed, I don't think they will try to attack their own contracts."

But Fairwin denied the existence of the vulnerability, and there is still a lot of money flowing into the contract.

Lesaege said the response from the Fairwin team is this:

"We have discovered the vulnerability, but we don't think it is a loophole. We judged the contract and the invitation code generated by the user for the first time was used as the final invitation code. So this vulnerability is invalid."

There is news on their website today that the game will start again and firmly deny fraud charges.

Security auditor Daniel Luca believes that:

"They may not be deliberate, but they can still pick up all the funds at any time."

In the past week, top security experts have been attracting attention, calling for the closure of FairWin, or at least helping users control their funding.

Safety researcher Philippe Castonguay suggested:

“You should avoid any interaction with this contract, and if so, withdraw funds immediately. All users’ funds are at risk, especially those that have just been deposited.”

The efforts of security experts have had some effect; in the past 24 hours, FairWin has almost no trading volume, mainstream blockchain browsers such as Etherscan have marked it as vulnerable, and there is no money in its wallet. It is. So is this the victory of a white hat hacker, or is it the latest road scam in Ethereum?