Explore the technical principles behind the random number vulnerability: How was the EOS.WIN quiz game hacked?

特邀专栏作者

2018-11-21 14:46

This article is about 2410 words, reading the full article takes about 4 minutes

The PeckShield security team took a typical EOS.WIN game as a sample to restore it from the perspective of a hacker, and took everyone to appreciate the mystery behind the random number vulnerability attack.

AI Summary

Expand

In the past month, the blockchain security company PeckShield has discovered and disclosed that more than 8 EOS quiz games such as EOSBet, EOSCast, FFgame, EOSDice, EOSWin, MyEosVegas, LuckyGo, and EOS Lelego have been hacked, and the hackers have made a total profit of 170,503.5 EOS, based on the previous market average price of 35 yuan per piece, hackers have made more than 5,967,662.5 yuan in profits from such games, which has seriously threatened the normal EOS ecological order.

PeckShield security personnel extracted the attack features of a variety of games and initially found that: 1. There are different hacker groups behind the attackers carrying out organized and targeted attacks; 2. Most of the reasons for successful attacks are related to random number vulnerabilities ; 3. Similar attacks may become more frequent, and their attack efficiency shows signs of gradually improving.

Since the vast majority of EOS quiz games are not yet open source, in order to clarify the technical principles behind the random number vulnerabilities and find out why hackers have repeatedly attacked successfully. The PeckShield security team took a typical EOS.WIN game as a sample to restore it from the perspective of a hacker, and took everyone to appreciate the mystery behind the random number vulnerability attack.

On November 12, according to the data of the PeckShield situational awareness platform: from 08:59 to 09:00 in the morning, in less than a minute, hackers launched a total of 10 attacks on the EOS.WIN game contract (eosluckydice) and made a profit of over 9,180 EOS . PeckShield security personnel tracked and analyzed that the hacker first carried out a small test attack at 22:46 last night, and after 165 attacks and mastered the attack method, he chose to use multiple associated accounts to carry out a quick attack at 9:00 the next day. Although the game also uses the more secure two deferred transaction information as a component of the random number, the hacker still cleverly bypassed these restrictions and successfully carried out the attack.

Hacking principle and lottery process:

EOS.WIN is mainly composed of two games of guessing numbers and blackjack. The game of guessing numbers, the user can choose a number arbitrarily, the system will give the corresponding odds according to the size selected by the user, and then the system will randomly give a number, If the result matches the user's size selection, it is considered a prize, and the amount obtained is the amount invested multiplied by the odds.

image description

(Illustration 1: DICE game lottery process)

PeckShield security personnel analyzed and found that the random number of the contract is obtained through the get_random function, and the factors that affect the generation of the random number are: txid is the transaction hash ID, tapos_block_num transaction block height, tapos_block_prefix block ID prefix, bet_id global lottery number, etc.

In order to further in-depth understanding, first get a few background knowledge of popular science:

1. Delayed transactions and tapos_block_prefix: In the common random number generation methods, most of them use tapos_block_num and tapos_block_prefix as important components, and specify the information of a future block in the transaction to ensure unpredictability. If the delayed transaction is used in the contract, that is to say, the delayed interval is specified during the transaction (such as the lottery), which seems to use future information. In fact, when the transaction is issued, the system has already specified the latest synchronization to be used. Block (head_block) information, and thus tapos_block_num and tapos_block_prefix are also determined.

2. Rollback of transaction status information: In EOS transactions, if an action in a transaction is executed abnormally, it will cause the rollback of the entire transaction status. For example, if you deploy a contract in your own account and throw an exception every time you receive a transfer receipt, it can cause the entire transfer process to fail, and all status information, including balance, will remain the same.

3. Calculate the transaction hash ID: a transaction (transaction) can contain multiple actions. If all action parameter information is confirmed, then combined with the aforementioned tapos_block_prefix (ref_block_prefix) information, the transaction hash ID can be calculated by itself .

In short, the attacker takes advantage of the lottery number (bet_id) to participate in the random number generation and the failure of the inline call to cause the rollback of state information, and control multiple contract accounts at the same time to send transaction requests at the same time, so as to ensure that the final request The account can get the expected lottery serial number to participate in the generation of random numbers to win rewards. Taking EOS.WIN as an example, the attacker first used 5 accounts to bet with a small amount of money, and after mastering a higher probability, used the last account with the largest amount to bet the main bet, thereby winning the prize with a higher probability.

The specific attack process is as follows (as shown in the figure below):

1. The attacker deploys 6 attack contracts. When calling the attack method, the 6 accounts are sent transaction requests in the attack contract at the same time, so that these requests will be drawn in the same block. Since the process is consistent, the transactions in the lottery transaction tapos_block_num and tapos_block_prefix are the same, only bet_id may be different.

2. The attacker's first 5 attack contracts can obtain the current bet_id when receiving the lottery notification, and judge whether this id can make the final account win the prize.

1) If the calculation shows that the last account cannot win the prize, the lottery notification of this account will be executed normally, so that the subsequent accounts will use the new lottery number to calculate the random number;

image description

(Illustration 2: Attacker's multi-account attack process)

Probability of winning:

From the above lottery and attack process, it can be seen that every time an account is added as a feint, there is an additional chance to calculate in advance whether the final main attack account will win. According to the number of guesses, choose 20 to calculate the odds is 5 times, 6 accounts will increase the winning probability to about 74%, although there is still no guarantee that every attack will win, but the attacker can win 6 times in 10 attacks, which is already super high And disturb the order of the normal game winning probability.

Safety advice:

In games such as EOS.Win, the random number is affected by a variable that can be controlled by the attacker, that is, the game lottery number (bet_id). Therefore, PeckShield recommends that developers need to remove the attacker-controllable variable in the random number generation of DApp. Variables such as the game lottery number, etc., while avoiding the lottery action and the notification action (receipt) in the same transaction, thereby avoiding the rollback of the transaction state, thereby preventing attacks from hackers.

Welcome to Join Odaily Official Community