There is only one truth | God.Game Attack Analysis
The Attack
On August 22nd, Ethereum game God.Game announced on their website that all their tokens have been taken by hackers. This game was prepared for 2 month and died not long after going online.
Chengdu LianAn Technology team immediately began source code auditing on the contract without waiting for the announcement of the attacker’s address. We intended to start form the code logic and function correctness problems, and tried to locate the specific vulnerability attacker used, and so we did.
Vulnerability Locating
Chengdu LianAn Technology team spotted the variable ‘dividends’ threw exception while auditing the contract.
Firstly, let’s see how the variable dividends is calculated:
return (uint256) ((int256)(profitPerShare_*tokenBalanceLedger_[_customerAddress]) — payoutsTo_[_customerAddress]) / magnitude;
Then we got to know that whenever the token amount changes on a address, the variable ‘payoutsTo’ on this address will change, for instance:
Increase ‘payoutsTo’ when purchasing token:
Decrease token when selling or transferring out token:
These are easy to understand.
However, in the Transfer function part of the code, there is no corresponding variable ‘payoutsTo’ when mentioning specific contract address. We will get back to this, but let’s check the code first:
Secondly, we moved on to withdraw function:
In this part, surprisingly the variable payoutsTo will be assigned a value in the form of dividends*magnitude. Here, magnitude=2**64.
From the calculation of dividends, (profitPerShare_*tokenBalanceLedger_[_customerAddress]) part we can see that, as long as there are tokens, there will be a value for dividends, then continue withdraw function operation.
The Inference
1. Create an attack contract and transfer certain amount of tokens, calling the withdraw function and let the payoutsTo value on this attack contract address become dividends*magnitude;
2. Then transfer all the tokens from this attack contract making the balance become 0. But the game contract logic doesn’t contain operations towards payoutsTo on that address, so the payoutsTo value in attack contract didn’t reduce from game contract’s perspective.
Now let’s take payoutsTo value to dividends calculation:
(uint256) ((int256)(profitPerShare_ * tokenBalanceLedger_[_customerAddress]) — payoutsTo_[_customerAddress]) / magnitude
Now that the attack contract tokens have been transferred out, so tokenBalanceLedger=0, and (profitPerShare_ * tokenBalanceLedger_[_customerAddress])=0; But payoutsTo is still an int256 type.
Therefore, the simplified calculation of dividends became:
uint256 (int256(0-payoutsTo))/magnitude;
In addition, (uint256) ((int256) means that uint256 function forces an int256 value to become a unsigned value, in this case, a negative value throws the symbol and become a positive value, hence the exception of variable dividends.
3. Finally, call the reinvest() function to buy almost all tokens in the game using the exceptional dividends. Doing that caused the rapid increase of value of the tokens.
Then sell all the tokens to get ETH in the game.
Let’s briefly summarize the operations above:
(1) Create an attack contract which can call the functions of God contract and transfer certain amount of GOD tokens into God contract.
(2) Attack contract calls the withdraw function of God contract, triggering the increase of payouts[address].
(3) Call attack contract to take all tokens out of it, make its actual token amount=0, then the dividends of its address throws exception.
(4) Call reinvest() to buy large amount of tokens using exceptional dividends. The total amount of tokens in the game increased, according to the game rules, the dividends increase as well, so the token price rose. At this moment, anyone can sell very small amount of token to gain large amount of ETH.
Evidences found
We checked contract and found the evidence of exceptional dividends:
The circled part which is in the form of ‘0000000fffffffff’ represents the value is a negative number.
This proves the dividends threw exception.
And we found this on Etherscan as well:
The attacker called reinvest() function through attack contract, and purchased huge number of GOD tokens, around 30 billion, leading the rise of price. Finally, attack only sold 0.9 to get over 200 ETH in the game.
Laboratory Replication
Testing environment:
Ropsten
Testing procedure:
1. Deploy God contract on Ropsten, address: 0x92cbCBc31f6bb209f2C4F6cbd0596ba22D71979d
2. Normal user pays 1 ETH to purchase GOD token.
3. Attacker pays 1 ETH to purchase GOD token as well.
4. Attacker deploys attack contract PWN, PWN address:
0x88DF1483Db9d3720378d2CB6859c8487e4412ac7
Source code of attack contract:
https://ropsten.etherscan.io/address/0x88DF1483Db9d3720378d2CB6859c8487e4412ac7#code
5. Attacker transfers 4 GOD tokens to PWN contract.
6. Attacker call withdraw function of God contract through PWN contract, making the payoutsTo for PWN contract turn into:
7. Attacker transfers out the tokens under PWN contract to make tokenBalanceLedger_ turns into 0, now the parameter for calculating variable dividendsOf under PWN contract is:
profitPerShare_ = 8997439772575371
tokenBalanceLedger_[PWN] = 0
payoutsTo_[PWN] = 0x254197237940000000000000000
Execute dividendOf function, the result of dividendsOf for PWN contract address: dividendsOf = uint(-0x25419723794),
The exception shows when turning int to uint
8. Attacker calls reinvest() function of God contract through PWN contract. Using incredibly huge dividendsOf value to purchase GOD tokens, thereby raise the value of profitPerShare to an extreme, and then destroyed the balance of the exchange rate between GOD and ETH.
9. The result of GOD total amount on Ropsten is close to the evidence, which means the replication succeeded.
Summary
After the theoretical verification which compares inference and evidences, and the data verification which compares replication results and real results. We Chengdu LianAn Technology define this attack as numerical data type conversion vulnerability attack.
The attacker exploited the design flaws of God contract, which is the lack of consideration when converting int type to uint type, to initiate attack.
From the information on Etherscan, the deployment time of attack contract is Aug-20–2018 04:42:27 PM +UTC, while the Ether was taken at Aug-20–2018 04:57:26 PM +UTC. It only took 15 minutes for the attacker to perform all the operations above.
Besides this vulnerability, we found another two ‘backdoors’, the owner of the God contract could use these two following functions to transfer out all the ETH under the God contract.
In a word, it is very common that many current game smart contracts, especially those related to directly trading or gambling, contains security vulnerabilities. Therefore, we urge all game players and investors that cautiously investigating and wisely investment are necessary when entering blockchain games, especially those went viral overnight. We highly recommend those games which have provided security audit reports. Please don’t follow other players blindly. Moreover, project initiators should conduct smart contract audit before rolling out the project to protect themselves and players’ assets.
About LianAn Technology
Chengdu LianAn Technology Co. Ltd. is headquartered in Chengdu and focuses on blockchain security field. Founded by Prof. Xia Yang and Prof. Wensheng Guo of UESTC, LianAn Tech’s core team members consist of more than 30 associate professors, postdoctoral students, doctors and masters with experience of studying at overseas leading universities and laboratories (CSDS, Yale, and UCLA) as well as industry elite from Alibaba Huawei, and other famous enterprises. Using formal verification as its core technology, this team has been providing years of services for security critical systems in aerospace, military and other fields. Chengdu LianAn Technology Co. Ltd. is the one and only company in China that applies this technology to blockchain security field.
Being the only blockchain security company that obtained strategic investment from Fenbushi capital, LianAn Technology has signed strategic cooperation agreements with well-known corporations such as Huobi, OKEX, KuCoin, LBank, CoinMex, Becent, ONT, Scry, CareerOn, IoTeX, DALICHAIN, Bplus, Bytom, Bubi Blockchain, and YUNPHANT. In addition, it has made cooperative agreement with France Inria, the top formal verification team in the world. LianAn Tech was listed on the “2018 China Blockchain Industry White Paper” issued by the Ministry of Industry and Information Technology, and it has also been selected for the smart contract security audit recommendation List.
Let’s connect
E-mail:vaas@lianantech.com
Official website:https://www.lianantech.com
Twitter: https://twitter.com/LianAnTech_com
Facebook: https://www.facebook.com/LianAnTechChengdu/
Telegram Chinese Group:https://t.me/joinchat/IRgNDA4iCF0Rs92sg5qoVg
Telegram English group: https://t.me/joinchat/IRgNDBBpCon-695ATmbA4w
