On August 22 2018, the first round of the FOMO3D has ended with a winning of 10,469 ETH. The lucky winner receiver just shy of $3 million worth of ETH sent to his or hers address simply because this individual bought the last key of the round and the countdown went t into their favor. Lucky sod or is it calculated!
Lets have a look in this post-mortem article from WeChat.
This article is from the WeChat public number: dapdap blockchain (ID: dapdapio). Tiger Sniff Network was authorized to reprint.
First, the hacker took the grand prize
The first round of the FOMO 3D first prize of the most popular Dapp application in Ethereum was announced at 2:48 pm on August 22, Beijing time.
The winner of the wallet address number 5 (hereinafter referred to as 5 brothers) won the prize of 22 million yuan (10,469 Ethereum).
From the history of wallet transactions, the winners only paid about 6,000 yuan (2.7 Ethereum).
The player began to enter the game on August 15th. After 6 days, 145 trade efforts, in the hundreds of thousands of players to break through the encirclement, to small Boda, won the grand prize, and gained 4,000 times the proceeds.
Why is the prize for the value of the two suites in the second ring of Beijing be taken away by the 5 brothers? Is it destined to be a black box operation?
DapDap’s friends in-depth investigation of the winning event and the transaction records related to the 5 brother wallet, found that it is not as simple as 5 brothers hit the big luck.
It can almost be concluded that it is a hacker.
The preparation work done by the hacker 5 brother is far from being as simple as buying and buying.
Second, the real advanced players
Next, we stripped the truth of the incident.
First, let’s briefly introduce the rules for winning the grand prize.
Rule 1: The last person who purchased KEY won the prize in the prize pool
Rule 2: Every time someone buys a KEY, the countdown will increase by 30 seconds.
Rule 3: Countdown starts 24 hours after the game starts
In other words, as long as you are the last person to buy KEY, you can take away two sets of second-ring houses in Beijing.
Of course, some people may suspect that the team has the possibility of a black-box operation. However, since FOMO 3D’s smart contract is open source and open and transparent, it can be found that the hacker 5 brother is using the normal purchase function to purchase.
So there is no possibility of official black box operation.
What do you do as a player who wants to win a 22 million prize?
If you are a little white player:
You may stare at the computer for 24 hours. Every time the countdown is about to end, spend a little money to buy a KEY, and then pray that no one will buy it later.
If you are a programmer player:
You might write a script that sets the amount of money to buy a KEY automatically when the countdown is about to end, and then repeat the process.
If you really do this, it only shows that you are stupid and naive.
Because of the award of up to 22 million, as soon as the countdown is over, someone will definitely buy it, and even hundreds of scripts will be waiting to be purchased.
Real advanced players do this:
After buying the KEY, use various means to ensure that no one can buy it later.
This is also the key reason for the hacker 5 brother to take the grand prize.
Third, the two means of winning
As shown in the following figure, from the recent wallet transaction record of Hacker 5, he only buys a KEY every once in a while.
So many people speculated that the hacker 5 brother just wrote a script, and then just caught up with the Ethereum congestion, or the game fever dropped no one pays attention, and then luck is good.
However, if you look closely, you will find that only one person has had a failed purchase in the time of 3 minutes and 12 blocks after the hacker 5 brother purchased the KEY.
Other than that, no one has ever issued an order for purchase.
This is completely different from the previous three counts of each countdown, which is unusually deserted.
So how can you do this in Ethereum? There are two main ways:
1 Collusion with the mine owner, so that the mine owner will not package other transactions to purchase KEY after my transaction;
2 After purchasing the KEY successfully, the Ethereum was blocked, so that others could not package other transactions to purchase KEY.
Fourth, the working principle of Ethereum
Here, the blockchain is a simple white science and the working principle of the Ethereum network.
A typical home computer is executing many programs every second. However, Ethereum can be understood as performing on average every 14 seconds. The terminology is called “package transaction”.
The computer responsible for executing the program (packaged transaction) is called the “mine machine”, and the person with the mining machine is called the miner or mine owner.
There are tens of thousands of Ethereum mining machines in the world, and which mining machine will be packaged and traded, which will be affected by the mining machine power and the total network computing power. The act of competing for the right to package transactions is called “mining.”
Once the mine has been successfully mined, it will receive Ethereum rewards and can decide which deals to package and how to package them.
Every time, many users submit their own program commands to be packaged by the mining machine. The mining machine package transaction needs to pay a certain fee to the miner, and the mining machine generally chooses the user with the highest payment.
Therefore, in layman’s terms, there are two ways for players who want to win big prizes:
1. Choose to negotiate with the major mine owners. After the miners have successfully mined, do not package the transactions of others to buy KEY;
2, through a certain technical means, with high transaction fees, so that the mining machine automatically choose to package only my transactions, and not package other people’s transactions.
The mine owner did not even know it in the process.
5. The possibility of collusion with the mine owner
First look at the possibility of collusion with the mine owner.
As shown in the following figure, the distribution of the calculation power of the mining machine in Ethereum is relatively scattered.
Ethermine, the mine with the highest computing power, only accounts for 29%, and other large mines account for only about 10%.
Since the countdown is less than 2 minutes, there will inevitably be a large number of players who are motivated by the Grand Prize to enter the KEY.
Therefore, the jackpot player must purchase the KEY at least two minutes before the end of the countdown, and then dig into the next 8 – 12 blocks (14 blocks per block, 4 per minute, 2 minutes – 8 minutes 8-12 The mine owner negotiated, let the other party block all users who want to buy KEY, and make sure that they are the last one.
However, this practice is not only difficult to achieve theoretically, but it is almost impossible to achieve in the actual operation of this incident.
As shown in the figure below, from the hacker 5 brother to buy the KEY until the determination of the 12 blocks between the awards belong to Ethermine, SparkPool, Nanopool, BitClubPool, bw and other 8 different miners.
The hacker 5 brother must talk to the 8 mine owners in advance, and then it is precisely the mining success of these 8 mine owners.
Students who have learned the probability can quickly calculate that the possibility is almost zero.
After analyzing this, we basically ruled out the possibility of conspiring to mine.
Sixth, abnormal transaction data
In the analysis process, we were also surprised to find that the 5 brothers bought the KEY until the 3 minutes of the winning, the number of transactions in the 12 blocks was abnormally low, almost 1/10 of the usual, but the transaction costs were Hundred times higher than usual.
This unusual data made me judge that it must be tricky, and combined with the following series of data analysis, we confirmed:
After purchasing the KEY, the 5 brother used a high amount of etheric cost and technical means to block the Ethereum for 3 minutes.
In turn, other players can not package the purchase of KEY, and thus won the final prize.
The following is a real hammer and step analysis:
First of all, we extracted a total of 353 transactions in 12 blocks of Ethereum before the winning. After various dimensional analysis, we have the following findings:
1. Among the many accounts with the most transactions, one has just established an open source contract account with less than 4 days. The account traded as many as 32 in just 3 minutes.
2. We further dig deep into the discovery that the suspicious contract account was created by the hacker 5 brother almost three or four days ago.
In other words, after 5 brothers purchased the KEY, they used a smart contract to send a large number of transactions to Ethereum.
At this point, although we are still not sure what the contract content is, we can basically conclude that 5 brothers have done their hands after buying the KEY.
What specific hands and feet have been done, we need further analysis.
3. We then counted the GAS consumption in the 12 blocks before the winning.
We found that the GAS consumed by the suspicious contract account created by the 5 brothers accounted for the vast majority of GAS consumption during this period.
Especially in the last six blocks, in about one and a half minutes, the five brothers gave a high price of 190 to 501 GAS, which monopolized all the power of all Ethereum.
Other users can hardly perform any operations on Ethereum.
Seven, hacker motives
Here is a brief explanation of the principles of Ethereum and why hackers 5 want to do this.
Above we said that Ethereum has a block every 14 seconds or so, and some transactions will be packaged in the block. The amount of computation that each block can perform is limited, typically around 8 million GAS.
Transactions that exceed this limit will be postponed to subsequent blocks for trading.
For example, each block on the Ethereum is like a bucket. When a user submits a transaction request, it is like pouring water into a bucket. Once a bucket is filled with water, it can no longer process other transaction requests.
Buckets generally prioritize transactions with high bids.
So what 5 brothers are doing here is to give him a mining machine that has dug mines in the dozens of blocks after buying KEY from 6191898 to 6191908, paying a lot of money, and letting them prioritize the transactions issued by 5 brothers.
Then the transactions issued by the 5 brothers accounted for too high resources, and almost all of the dozen blocks were occupied.
All other Ethereum users, including those who play FOMO 3D and do not play FOMO 3D, can’t interact with Ethereum in those 3 minutes.
Since no player can come in and compete with the hacker 5 brother, the 5 brother succeeded in keeping the countdown to the end of the countdown.
Eight, the ins and outs
Therefore, the context of the whole incident is basically clear:
1. The FOMO 3D countdown is about 3 minutes left;
2. Hacker 5 brother purchased 1 KEY;
3. The hacker 5 brother sent a lot of spam to the smart contract created by himself with other wallet accounts, causing the Ethereum to be congested for 3 minutes;
After 4 or 3 minutes, the hacker 5 brother successfully won the grand prize because no one bought the KEY.
Of course, there are some interesting places in the whole incident and places that are not easy to understand. We discuss each one by one:
1. Is the hacker 5 brother manually operated?
Of course not, the hacker 5 brother wrote the script and the smart contract with the script in advance.
In the whole process, 5 brother actually wrote 10 smart contracts, but the final success was the smart contract with the last number 7801. It seems that 5 brothers have also been optimizing.
2. The road to success of the hacker 5 brother is not very smooth.
The hacker 5 brother built a wallet to win the grand prize 7 days ago, and then executed a 5 or 6-day script on FOMO 3D and last winner, in an attempt to compete for the final prize.
But I have no success, but I have lost a lot of fees.
Until 1 day ago, the hacker 5 brother took the opportunity to make a small change. After purchasing the KEY from the original fccbf85 master account, he sent a command to the smart contract himself. The main account of the fccbf85 was only responsible for purchasing the KEY, and several other accounts were given. The contract sends a command.
Before the change
After the change
This change should greatly improve the efficiency, and the 5 brothers ushered in the FOMO 3D victory in almost 3 hours.
The success of this time was not achieved once, but with the success of a little luck after nearly a thousand failures.
3. Who is the hacker 5 brother?
It should be a professional hacker in the blockchain field. We analyzed his wallet account, but unfortunately it is not certain who it is.
The wallet of the hacker 5 brother has a total of 8 wallet addresses to be imported into Ethereum.
These accounts use the suspected ShapeShift wallet in addition to the 5 brother’s own account, and ShapeShift is loved and used by the majority of blockchain hackers because it is difficult to track.
At the same time, the hacker 5 brother used nearly 20 different wallet addresses throughout the process for program running (running scripts).
These wallet addresses are basically unable to find other sources.
4. Where did the earned money go?
They are stored in the following two wallets:
Currently not transferred yet
5. No one competes in the whole process?
In fact, there are some, in the three minutes after the 5 brother bought the KEY, there was once a successful squeezed in with the 5000+ GAS price, try to buy KEY.
But unfortunately the GAS ceiling he set is too low, so the transaction is wrong. The player also lost 2.1 Ethereum, which is about 4,000 yuan.
At other times, 5 brothers are still very strong.
6. The transaction is packaged by the f2pool fish pond. Is there any suspect in the fish pond?
After the above discussion, the key factor in the success of the hacker is to block more than a dozen blocks after the purchase of the KEY transaction. And these blocks have nothing to do with the fish pond, so I don’t think it has anything to do with the fish pond.
But the strength of the fish pond appeared, but the game became more interesting.
Nine, a few games played by hackers
Fomo 3D’s design skills are superb, and we even had the illusion that “this game will never end”
So when we heard the end of the game, our first instinct was that things were not that simple.
So we spent a night, a deep analysis of the Fomo 3D award, and all the signs confirmed our guess, it is indeed a hacker.
The second round of Fomo 3D has been launched, and within a few hours, the prize pool has passed the 6000 Ethereum. The second round of the grand prize will be produced when there will be hacking, and everyone can wait patiently and observe.
There was such a passage in GAME Revelation:
There are too many unpredictable things in the real world, and games are not. The game is based on rules. Although there is local randomness, the relationship between progress and results is certain.
If someone is rich, there will be someone who has no money.
As we have written, this kind of fund game is a “small hacker game”, they will directly issue instructions to Ethereum to interact.
Most people are losing money by playing through the game page.
So never play this kind of game with a gambler mentality.
Because, when you are staring at the abyss, the abyss is staring at you.
X. Summary of other clues
The following is a summary of the key elements of the event:
1. Winner:5 brother
2. Wallet address:
3. Successful purchase transaction address: 0x7a06d9f11e650fbb2061b320442e26b4a704e1277547e943d73e5b67eb49c349
4. Winning transaction address: 0xe08a519c03cb0aed0e04b33104112d65fa1d3a48cd3aeab65f047b2abce9d508
5. Hacker 5 brother creates a suspicious contract transaction address: https://etherscan.io/tx/0x21ebb34d74aa487f036d5b8b5cf9cbfc7083b9fec3614a312341a3ab01592293
6. Block height of the purchase transaction: 6191896
7. Miner: f2pool_2 (fish pond)
8. Block Information: Colorful Angelfish
9, other reference materials, information sources:
This article is from the WeChat public number: dapdap blockchain (ID: dapdapio).