The Ethereum-based gambling dApp FairWin has collapsed following the exposure of a vulnerability in its smart contract. Researchers found that the admins of the platform could drain the dApp’s entire balance at will.
After partially revealing the vulnerability on September 26, the team behind the recent disclosure has gone public with their findings. The publication of the Medium post documenting their work follows an abrupt exodus from FairWin over the weekend. The authors of the report write that as much as $8 million worth of ETH may have been stolen by the platform’s admins.
I just published 'The Collapse of FairWin’s ~$125m Ponzi Scheme' in which we detail the journey behind the rise and fall of FairWin's fraudulent project.https://t.co/GmpgWns9qc
— Philippe Castonguay (@PhABCD) October 1, 2019
Possible Administrative Theft
Philippe Castonguay’s suspicion about FairWin was first raised on September 11. He was tipped off by a colleague who had noticed its unusually high gas usage over the previous month. A collaborative effort between the report’s author, Daniel Luca, Griff Green, Harry D., and Oleksii Matiiasevych followed.
The researchers discovered that the platform’s admin could drain the entire smart contract in a previous version of the software, as well as the use of fake team members, a vulnerability that allowed literally anyone to steal all of a user’s deposits, and various other typos and bugs in the coding of the contracts. They also found that the platform’s admins had ultimate control over whether withdrawals were granted or not.
The team decided that the best course of action was to disclose the vulnerability without too much information. The idea behind such a progressive exposé was that platform users might have the chance to withdraw their balances before one of the vulnerabilities could be exploited. However, they acknowledged the increased risk of such a disclosure prompting an earlier exit scam from the site’s admins.
On September 26, the team started disclosing the vulnerability. At the time, there were $8 million worth of ETH tokens stored in the smart contract. The contract was promptly drained over the weekend and now is completely empty. Numerous unknown ETH addresses received funds and many users have been unable to withdraw balances.
— Martin Köppelmann (@koeppelmann) September 30, 2019
Ethereum’s Fatal Flaw?
The researchers conclude that there is no concrete evidence to suggest that the contract vulnerability was exploited. However, they do note that they can’t discount the possibility that FairWin’s admins acted dishonestly over the weekend. Castonguay writes:
“Indeed, since they effectively choose who is allowed to withdraw and when, it’s possible they favored some accounts over others in the last few days, possibly addresses they control.”
Such vulnerabilities in the most active smart contract on the Ethereum blockchain raise concerns about the plethora of other projects that have been built on the network. The sheer weight of numbers, along with the complexity of actually coding an airtight smart contract, suggests that there will be other such exploits on platforms that have not undergone such an extensive audit by talented programmers.
Bitcoiner and code Udi Wertheimer goes as far as to suggest that ‘most “dapps” are just as centralized and custodial.’
Today the Toxic ETH Twitter Mob killed FairWin, an “unstoppable application” they dislike (because it filled blocks, driving up prices for “dapps” they do like), by telling people that FairWin is custodial and centralized
Except most “dapps” are just as centralized and custodial https://t.co/LPPw0guO52
— Udi Wertheimer IS RIGHT (@udiWertheimer) October 1, 2019
Meanwhile, as BeInCrypto previously reported, the Bitcoin Lightning Network is facing its own vulnerabilities.
What do you think about the FairWin story? Would you be surprised to hear that other popular dApps were as vulnerable to exploit and centralized as the Ethereum-based gambling platform?
Images are courtesy of Twitter, Shutterstock.