A few days ago, it was revealed that a gambling dApp, FairWin, had created a smart contract with a number of vulnerabilities. FairWin had given themselves the ability to drain a smart contract of all the ETH it contained. This vulnerability was spotted only after the project gained popularity, and had nearly $10 million worth of ETH locked. Fast forward to today, almost 90 percent of the contract’s funds were withdrawn by participants who were informed of the vulnerabilities, September 30, 2019.
Gas Usage Goes Berserk, Nobody Knows Why
Just a week ago, Ethereum miners increased the gas limit for the blockchain to allow gas prices to move down due to decongestion of the blockchain.
It was believed that this congestion on the blockchain was caused by Tether issuance, but in reality, it was FairWin – and they accounted for almost 60 percent of on-chain activity at one point.
Time to start making public the details about FairWin.
🚩 tl;dr Do not send ether to it, it’s a scam wrapped in a Ponzi scheme.
— Daniel Luca (@cleanunicorn) September 27, 2019
To summarize the project, FairWin is athat doubles up as a high yield investment scheme.
You can earn by either investing an amount and making exorbitant dividends, or by referring other people to the platform. Considering the model, it is more than likely the dividends were paid from investments the project received, effectively rendering it a Ponzi scheme.
Security vulnerabilities were not limited to contract creators, but any malicious actor could essentially drain the contract. The poorly written code, misleading documentation, and fishy website are all consistent tick marks for most crypto Ponzi’s.
Fair warning: The FairWin Ponzi contract can be drained by the owners. There is a separate attack black hats can do if the owners don't stop it (by draining it themselves).
FUNDS NOT SAFU!
— ameen.eth (@ameensol) September 27, 2019
FairWin Responds, Denies the Existence of Vulnerability
As it stands, it honestly looks like there was no malicious intent, but rather just a team of sub-par developers who don’t fully understand smart contract deployment.
Clément Lesaege, CTO of Kleros, decided to dig a little deeper to uncover where the roots of this debacle were. He attempted to privately inform the team at FairWin, but received no reply to his multiple emails and Telegram messages.
After Lesaege posted his findings to Reddit, FairWin finally made a comment. According to Lesaege, FairWin wrote:
“Thank you for your suggestion. We have already found the vulnerability, but we don’t think it is a vulnerability. The contract is judged and the invitation code generated by the user for the first time will be used as the final invitation code. So the loophole is invalid. In addition, we have real-time monitoring on our side. Once it is entered, it will be invalid. The intruder, we will alert at the first time, and then exclude the intruder.”
The response from FairWin establishes – without a shadow of a doubt (especially within the Reddit community) – that the team has no idea what they are doing and is incapable of basic programming and execution.
Sourced from crypto.news.
Written by Ashwath Balakrishnan on 2019-09-30 23:00:59.