Ethereum Alarm Clock exploit steals $260K in gas fees
By: Mark Jessy

October 20, 2022 3:25 AM
The hacker(s) have stolen 204 ETH in gas fees so far, valued at approximately $259,800, according to the transaction history highlighted by Web3 security firm Supremacy.
It has been reported that nearly $260,000 has been stolen from the Ethereum protocol due to a bug in the smart contract code for the Ethereum Alarm Clock service.
The Ethereum Alarm Clock allows users to plan ahead for upcoming transactions by setting the recipient address, the amount being sent, and the desired transaction time. Users must have the necessary amount of Ether (ETH) and gas fees available in order to process a transaction.
According to a tweet published on Twitter by blockchain security and data analytics firm PeckShield on October 19th, hackers have found a way to profit from gas fees that were returned to them after scheduled transactions were canceled.
The attackers essentially used inflated transaction fees to call cancel functions on their Ethereum Alarm Clock contracts. With the protocol's refund of gas fees for canceled transactions, hackers have been pocketing the difference thanks to a flaw in the smart contract.
We have discovered a current vulnerability in the TransactionRequestCore contract that takes advantage of the high price of gas to gain financial gain at the expense of the contract's original owner. This massive MEV-Boost reward is due to the fact that the exploit gives the miner 51% of the profits, as explained by the company.
"We've verified a current vulnerability in the TransactionRequestCore contract that takes advantage of the high price of gas to gain reward at the expense of the contract's original owner. Since the miner receives 51% of the gain from the exploit, MEV-Boost can afford to offer a much larger reward."
PeckShield also noted at the time that it had identified 24 addresses that had been taking advantage of the vulnerability in order to earn the purported "rewards."
Firm specializing in Web3 security A few hours later, Supremacy Inc also provided an update, referencing Etherscan transaction history to state that 204 ETH, or about $259,800 at the time of writing, had been stolen.
The company made note of a "interesting attack event," noting that the code used in the ethereum-alarm-clock project (itself seven years old) was four years old, and that hackers had actually found such old code to attack.
We don't have enough information at this time to know if the hack is still ongoing, if the bug has been fixed, or if the attack has ended. There will be updates to this story on Cointelegraph as it develops.
While October is typically a month of increased activity, this October has been particularly fruitful for scammers. As of the 13th of October, a report by Chainalysis stated that hackers had successfully stolen $718 million in October, making it the most active month of 2022.