Cocos-BCX White Hat Reward Case Analysis of Dice Rollback Attack

In the field of cryptocurrencies, the work of maintaining system security needs to be “outsourced”, and everyone has formed a tacit understanding. HackerOne has become a gathering place for hackers. They no longer want to use system vulnerabilities to launch attacks, but are more willing to get rewards by fixing vulnerabilities. The COCOS Bug Bounty, launched by the Cocos-BCX developer community, provides exactly this opportunity.

COCOS Bug Bounty is a public chain security program that invites global developers to participate in the development of Cocos-BCX. Cocos-BCX will open source the chain code and tool product code in a rhythmic and planned manner, and will be tested by developers worldwide. When developers find bugs and submit them via email, not only can they get rich rewards based on their contribution levels, their contributions will also make the Cocos-BCX public chain more complete. While improving the security and reliability of the public chain, it will also continuously optimize and improve the experience of peripheral tools.

On December 24, 2019, the Cocos-BCX technical team received a hole from a white hat submitted contract.dicegame contract for the Cocos-BCX MainNet game Dice Dapp. Fortunately, after finding the hole, the white hat hacker actively returned nearly 300,000 COCOS Token transferred on the game account.

Because the bug submitted by the white hat hacker complies with the COCOS Bug Bounty second-level reward requirements: user property, private key, account security issues, leakage of sensitive information of the chain system, etc., he finally received a B + level reward, totally 100,000 COCOS.

The details of the bug display that because in the dicegame contract, when betting and lottery logic are put together, an attacker can use this hole to attack. Specific dice contract source code: https://github.com/Cocos-BCX/smart-contract-practice/blob/master/code/dicegame.lua

The basic attack technique is as follows:

  1. Attacker registers a large number of COCOS mainnet accounts through scripts to obtain the original accumulation of COCOS;

2. The attacker deploys a rollback attack contract.

3. Bet on the attack contract. If the attacker lose, he will interrupt the execution of the contract through assert. If you win, you will successfully complete all the contracts.

4. By repeating process 2 continuously, all the COCOS in the original dice contract can be taken away. Specific attack contract: https://github.com/Cocos-BCX/smart-contract-practice/blob/master/code/rollbackattact.lua

At present, the Cocos-BCX technical security team has contacted the game developer to report vulnerabilities and suspend the maintenance of related contracts. At the same time, two defense methods are provided: 1. Separating betting and lottery interfaces; 2. Excluding cases where bets are artificial contracts.

Image for post
Image for post

There is actually a corresponding design in the Cocos-BCX chain system. If the game developer knows enough about the design of the trusted execution environment, in the above attack, he can take advantage of the multi-signature feature of the function in the Cocos-BCX smart contract to avoid the contract function execution request of the non-developer application. This is an extended implementation of a trusted execution environment. In the latest version, this feature is further upgraded to be able to declare that a specific function can require multiple signatures.

The development of Cocos-BCX is inseparable from everyone’s support and attention. Thanks to the developers for their valuable suggestions. Hope that the MainNet version of Cocos-BCX and every subsequent update will bring you a different experience!

For the discovery of this vulnerability, the developer received 100K COCOS from the Cocos-BCX Foundation as incentive.

Finally, developers are welcome to pay attention to and participate in the COCOS Bug Bounty, rich rewards are waiting for you ~ If you want to know the specific reward mechanism, please visit: https://bounty.cocosbcx.io/static/Cocos_bug_bounty_details.pdf

Follow Cocos-BCX at:

Website| Discord| Cocos-BCX Medium| Cocos-BCX Team Medium| Telegram| Twitter| Reddit| Forum|

Next-Gen Digital Game Economy. Game engine, IDE and blockchain for decentralized game development. Website: cocosbcx.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store