Ethereum smart contract FairWin’s account drained as critical vulnerabilities raise the question of a malicious attack
Dubbed by many the fastest growing Ponzi scheme on Ethereum, the smart contract FairWin has emptied its account, according to data from Etherscan. Just a few days ago, the account possessed almost 50,000 ETH (~$9 million).
While the nature of the withdrawal has not been confirmed, the total volume of withdrawing addresses suggests that concerned users had taken their funds out after multiple crypto-users on social media speculated that the smart contract was actually a Ponzi scheme.
It is unclear whether the contract was drained by its owner, some malicious actors or concerned users, but the multitude of withdrawing addresses suggests the latter.
According to Horizon Games’ Blockchain Researcher & Developer Philippe Castonguay, the “scheme” contains critical vulnerabilities which put the funds at risk.
The https://t.co/1HHnXNCWsL Ponzi Scheme contains critical vulnerabilities that put all funds at risk.
Spread knowledge (especially in Asia) ? Users need to withdraw their funds and stop interacting with the contract ASAP.
Details on the exploits will be published soon.
— Philippe Castonguay (@PhABCD) September 27, 2019
Later, Castonguay expanded on the details of the three main vulnerabilities he’d discovered on the Ethereum smart contract. One allowed the owner or administrator to drain the account and another allowed the admin to lock withdrawals. The third vulnerability allowed anyone to steal the deposits.
CTO of Kleros, Clement Lesaege, also posted a detailed explanation concerning the vulnerabilities on Reddit.
After the vulnerabilities were publicly announced, FairWin’s team responded to Lesaege by stating,
“Thank you for your suggestion. We have already found the vulnerability, but we don’t think it is a vulnerability. The contract is judged and the invitation code generated by the user for the first time will be used as the final invitation code. So the loophole is invalid.
In addition, we have real-time monitoring on our side. Once it is entered, it will be invalid. The intruder, we will alert at the first time, and then exclude the intruder.”
According to Castonguay’s more detailed blog post on the matter, there is no evidence to say that the funds were withdrawn by malicious attackers. The last successful withdrawal took place yesterday at around 9.21pm +UTC.