Is there a loophole in the Ethereum FAIRWIN smart contract? Detailed technical analysis is here

Recently, the issue of FAIRWIN smart contract has attracted the attention of all parties. FAIRWIN has been used as the most expensive mode of the Ethereum chain in recent days. There are still a lot of similar clone disks in the Ethereum chain. If there are hidden vulnerabilities, The public chain brings a large wind direction, so the Chengdu chain security personnel conducted an in-depth analysis of the FAIRWIN smart contract. The analysis results are as follows:

By auditing the FAIRWIN contract code, we found that there is a remedy() interface in the contract. If the contract owner does not close the interface through close(), the interface can be called by any user, and the bet data can be forged through this interface. If you don't use any funds, you can fake the recharge record, and then the attacker can enjoy the dividend, or use the UserWithDraw() to submit the balance.

Through the chain record, we found that the project side closed the interface by closeAct() on July 28, 2019 (the second day of the contract). Through the Chengdu Chain An-Beosin-AML system to analyze all the transaction records of the project side, we further analyze whether there is already a successful attacker inserting the bet data. The analysis found that the vulnerability has been seriously abused. From ten days ago until now, there have been accounts trying to call the remedy () interface to insert bet data, but since the operation has been closed, the insertion of data failed, you can see that the insertion amount is tens of thousands of ETH.

Insert failure record:

Through the full trace, we found a total of 503 successful transaction records (500 addresses), and the insertion date is before the project side closes the interface. According to statistics, all 503 transactions were initiated by the address 0xcb104fA25a1a46040DBaB9F554FF564CE325668b.

A total of 5093 ETHs were inserted by statistics, including 4711 frozen ETHs and 382 unfrozen ETHs. And the attacker has already performed the cash withdrawal operation by inserting more than 500 trumpet settings set by the bet record.

By further analyzing the contract deployment situation, it was found that the day before the project party closed actStu, that is, on July 27, 2019, the project party had just deployed the FAIRWIN contract. Within a short period of time, the project contract was out of nothing. More than 5,000 ETHs. On July 29th, the Ethereum browser display contract was open source.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

Interpreting FTX's preliminary restructuring plan Cash compensation is adopted, excluding FTT holders.

At present, the restructuring plan of FTX is still in its early stages. The team will submit a revised plan and discl...

Blockchain

Exchanges are temporarily withdrawing cash, data is garbled, or the Amazon server failure in Tokyo

According to Yahoo Japan, the Amazon Web service failed at around 13:00 on August 23, 2019. The service that failed w...

Market

Three days after listing, trading volume is lackluster. The first-ever leveraged BTC ETF in the US did not have a good start.

First leveraged cryptocurrency ETF in the US underperforms expectations three days after listing.

Market

Bitcoin stays stable at $30,000, is this a signal of a bull market?

Since 2023, the Bitcoin market has maintained a continuous growth trend, recently rebounding to over $31,000 in the p...

Blockchain

After the delisting of FTX, Binance entered the options market, why did it choose the "American option" that is different?

Binance has been very eye-catching recently, withdrawing its own FTX tokens and preparing to launch new businesses su...

Blockchain

What if Bitcoin is loaded with a Decentralized Exchange (DEX)? This expansion agreement will solve the problems faced by the lightning network.

The author of a new under-chain bitcoin extension solution called Statechain called on the Bitcoin community to imple...