Blockchain Semantics Insights
Business Case | Deep Tech | Announcements | Blockchain Glossary |
Beware Of Eth Gifting Contracts EtherscanBy Viswanath Kapavarapu | July 11, 2018, 1:27 p.m. GMT
Tonnes of people fell for this scam perpetrated by a fake Twitter account resembling Vitalik Buterin’s account in all respects. They believed sending a small amount of Ethers from their address to a specific address will result in them receiving a large number of Ethers back on their address. Sound too good to be true? It was.
A few days ago, I saw a more sophisticated version of it, via Smart Contracts. I came across these on Etherscan. These smart contracts are so smart they would surely have led a bunch of early Solidity programmers to fall for the trick. The contract makes you want to invest Ethers hoping to extract more than what you deposited. However, if you try to do so, you would simply lose all your Ether. Here is how it works.
The scammers have named the contracts pretty imaginatively: ETH_GIFT, ANSWER_QUIZ, ETH_QUIZ. It will remind you of those lame Youtube videos titled “Pretty actress reveals everything” which leave you fuming with their utter ‘nothingness’ once you click on them. I am not saying I click on such videos, but surely somebody does? Anyway, I digress. Over the past week, I have been able to find at least one such per week. When newbies take a look at these contracts, they would probably go: “Such an idiot to not secure the Smart Contract. Let me try to break one of these.”
Let’s look at one such contract:
The above contract has a balance of 1.002 Ether. At first look, it looks like anyone could simply call the ‘Play()’ function with the publicly available response parameter with an amount slightly greater than 1 Ether. And if the responseHash matches, the sender could steal all the funds in the Smart Contract to his account. Now you may have one question, how do I know the value of ‘response’ variable that the contract creator set?
Simple. Although the variable responseHash is not public, you can find out the value just looking at the input parameters of StartGame function. This is because variables in Smart Contract might be private, however since the transactions are publicly visible anyone could decode the input data to find the parameters sent along.
Take a look at the following transaction and with little effort, response variable can easily be decoded.
It looks so simple. Considering this is the only transaction visible on Etherscan, anyone might be lured to call the ‘Play()’ function with say 1.001 ETH and extract the entire funds the contract holds. However, if you try to do so, tadaa you lose all the funds sent along. Why so?
This is because that the ‘questionSender’ has already changed the ‘responseHash’ value using ‘NewQuestion()’ function.
You may ask a question that there are no other transactions for this Smart Contract actually calling the ‘NewQuestion()’ function.
That’s true in the sense that there are no other transactions as per Etherscan. However, you are being fooled in the sense that Etherscan does not show internal transactions if the transaction does not involve any fund transfer. If you are careful enough to check the transaction history on other explorers such as etherchain, you could actually find the transaction that changes the value of responseHash. The transaction invoking ‘newQuestion()’ is located here.
Overall two takeaways to note for developers:
- Even through variables are declared private, their value can be intercepted by simply intercepting the transaction input data. Hence, you should never store confidential data on Smart Contract.
- Do not get fooled by Etherscan (it does a great job for viewing blockchain data) and simply go fishing risky smart contracts. Remember that Etherscan doesn’t show internal transactions if they have no fund transfers associated.
Hopefully, this post helps budding developers out there. Happy Blockchaining.