Connect with us

Ethereum

Ethereum smart contract FairWin’s account drained as critical vulnerabilities raise the question of a malicious attack

Mark Prestwood

Published

on

Source: Unsplash

Dubbed by many the fastest growing Ponzi scheme on Ethereum, the smart contract FairWin has emptied its account, according to data from Etherscan. Just a few days ago, the account possessed almost 50,000 ETH (~$9 million).

While the nature of the withdrawal has not been confirmed, the total volume of withdrawing addresses suggests that concerned users had taken their funds out after multiple crypto-users on social media speculated that the smart contract was actually a Ponzi scheme. 

It is unclear whether the contract was drained by its owner, some malicious actors or concerned users, but the multitude of withdrawing addresses suggests the latter.

According to Horizon Games’ Blockchain Researcher & Developer Philippe Castonguay, the “scheme” contains critical vulnerabilities which put the funds at risk.

Later, Castonguay expanded on the details of the three main vulnerabilities he’d discovered on the Ethereum smart contract. One allowed the owner or administrator to drain the account and another allowed the admin to lock withdrawals. The third vulnerability allowed anyone to steal the deposits.

CTO of Kleros, Clement Lesaege, also posted a detailed explanation concerning the vulnerabilities on Reddit.

After the vulnerabilities were publicly announced, FairWin’s team responded to Lesaege by stating,

“Thank you for your suggestion. We have already found the vulnerability, but we don’t think it is a vulnerability. The contract is judged and the invitation code generated by the user for the first time will be used as the final invitation code. So the loophole is invalid.

In addition, we have real-time monitoring on our side. Once it is entered, it will be invalid. The intruder, we will alert at the first time, and then exclude the intruder.”

According to Castonguay’s more detailed blog post on the matter, there is no evidence to say that the funds were withdrawn by malicious attackers. The last successful withdrawal took place yesterday at around 9.21pm +UTC.

Mark is a full-time member of the Editorial team of AMBCrypto. With his five-year experience as a business editor for one of the largest dailies in the US, Mark brings sanity and order to our editorial team. Mark is a business major and loves building automotive parts when he's not working. Email him at [email protected] or [email protected]