A bug in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with nearly $260,000 said to have been swiped from the protocol so far. The Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the receiver address, sent amount and desired time of transaction. Users must have the required Ether on hand to complete the transaction and need to pay the gas fees upfront. According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process, which allows them to make a profit on returned gas fees from canceled transactions. In simple terms, the attackers essentially called cancel functions on their Ethereum Alarm Clock contracts with inflated transaction fees. As the protocol dishes out a gas fee refund for canceled transactions, a bug in the smart contract has been refunding the hackers a greater value of gas fees than they initially paid, allowing them to pocket the difference.
Read more : Ethereum Alarm Clock exploit leads to $260K in stolen gas fees so far.