An active exploit on the Transaction Request Core contract has led to 204 ETH worth around $260,000 of gas fees stolen.
On Wednesday, blockchain security firm PeckShield Inc confirmed an ongoing exploit that uses a large gas price to “game the TransactionRequestCore contract” into producing a reward that comes at a cost to the original owner.
Users first suspected something was astray when they noticed a number of high value rewards to MEV validators earlier in the day.
Analysis from web3 security audit firm Supremacy Inc found that the contract belongs to the seven-year-old Ethereum Alarm Clock project. The project lets users schedule transactions by setting the recipient wallet address, amount to be sent and the time of the transaction. If a transaction has been canceled, the project issues a refund for gas fees.
According to Supremacy Inc, the attacker used a cancel function on these contracts using a significant amount of gas, exploiting a bug in the smart contract code that issues a higher refund than what was initially paid.
“The hacker does not need to use more than 85000 gas, only 70355 is enough, the actual tx fee paid < the Transaction Fee returned by the cancel function, where the difference is the hacker profit,” wrote Supremacy in a tweet, sharing a screenshot of the transaction seen on Etherscan.
PeckShield observed that the exploit pays 51% of the profit to the miner which is what resulted in the surge in MEV-Boost rewards earlier in the day. At the time of writing, PeckShield observed that there are currently 24 addresses gaming for these rewards.