Hackers have stolen 204 ether, equivalent to over $260,000, in an attack exploiting the Ethereum Alarm Clock (EAC) vulnerability. The continuing hack was disclosed earlier this morning by Peckshield, a web3 security and analytics company. Two hours later company informed that 24 addresses have been engaged in the ongoing exploit.
The EAC is a smart contract that enables scheduling future Ethereum transactions. Users can set the parameters of a transaction which is then called by executors known as TimeNodes at a desired time. To complete the transaction, a gas fee has to be paid upfront.
It turns out that the process contains a loophole, which was discovered by the attackers. They have made use of an unusually high gas price to rig the TransactionRequestCore contract, first calling a cancel() method on EAC and then getting hold of the fee refund – inflated by a bug in the smart contract.
According to a later tweet by Supremacy Inc., a web3 security company, the hackers managed to steal 204 ether.