Connect with us
Active Currencies 14821
Market Cap $2,359,699,431,272.20
Bitcoin Share 50.62%
24h Market Cap Change $-2.59

Ethereum smart contract FairWin’s account drained as critical vulnerabilities raise the question of a malicious attack

2min Read

Share this article

Dubbed by many the fastest growing Ponzi scheme on Ethereum, the smart contract FairWin has emptied its account, according to data from Etherscan. Just a few days ago, the account possessed almost 50,000 ETH (~$9 million).

While the nature of the withdrawal has not been confirmed, the total volume of withdrawing addresses suggests that concerned users had taken their funds out after multiple crypto-users on social media speculated that the smart contract was actually a Ponzi scheme. 

It is unclear whether the contract was drained by its owner, some malicious actors or concerned users, but the multitude of withdrawing addresses suggests the latter.

According to Horizon Games’ Blockchain Researcher & Developer Philippe Castonguay, the “scheme” contains critical vulnerabilities which put the funds at risk.

Later, Castonguay expanded on the details of the three main vulnerabilities he’d discovered on the Ethereum smart contract. One allowed the owner or administrator to drain the account and another allowed the admin to lock withdrawals. The third vulnerability allowed anyone to steal the deposits.

CTO of Kleros, Clement Lesaege, also posted a detailed explanation concerning the vulnerabilities on Reddit.

After the vulnerabilities were publicly announced, FairWin’s team responded to Lesaege by stating,

“Thank you for your suggestion. We have already found the vulnerability, but we don’t think it is a vulnerability. The contract is judged and the invitation code generated by the user for the first time will be used as the final invitation code. So the loophole is invalid.

In addition, we have real-time monitoring on our side. Once it is entered, it will be invalid. The intruder, we will alert at the first time, and then exclude the intruder.”

According to Castonguay’s more detailed blog post on the matter, there is no evidence to say that the funds were withdrawn by malicious attackers. The last successful withdrawal took place yesterday at around 9.21pm +UTC.


Biraajmaan is a full-time journalist at AMBCrypto covering the US market. A graduate in Automobile engineering, he writes mainly about regulations and its impact with a focus on technological advancements in the crypto space.
Read the best crypto stories of the day in less than 5 minutes
Subscribe to get it daily in your inbox.
Please check the format of your first name and/or email address.

Thank you for subscribing to Unhashed.