GMBL COMPUTER, a relatively new decentralized finance (DeFi) gambling protocol, recently suffered a loss of 500 ETH due to a key signing leak. This breach allowed an attacker to withdraw GMBL tokens worth nearly $800,000 at current market prices.
The breach was not the result of a contract vulnerability but rather an off-chain issue, as noted by the GMBL Computer team, saying,
“This is not a contract vulnerability. We have identified the root cause, which is off-chain.”
Here is what happened:
Someone was able to spoof a call and get a signature from our server, then pass it to the contract and pull almost 500 ETH worth of GMBL out of the contract.
THE GOOD NEWS:
This is not a contract vulnerability. We have identified the root cause, which is…
— GMBL.COMPUTER (🤑, ♻️) (@gmblcomputer) September 6, 2023
Several reports further suggest that an individual managed to spoof a call and acquire a signature from the GMBL computer server. This signature was then used to access and withdraw almost 500 Ethereum (ETH) worth of GMBL tokens from the contract.
GMBL COMPUTER Team Claims to Identify the Exploiter
The GMBL Computer Team was quick to react and pinpoint the source of the problem. They have publicly disclosed that they now possess all the necessary information about the hacker.
Interestingly, GMBL Computer has offered a bug bounty to the hacker in exchange for returning the stolen funds. They have asked for the return of 90% of the pilfered funds to their Arbitrum wallet while allowing the hacker to keep 10% as a bounty.
To the hacker:
If you’d like us to treat this as a white hat, please send 90% of the funds back to our ARB MULTISIG 0x4263FDcddde978cc9239199Bf8533a064db9dF5E and keep 10% as a bounty.
If we do not recieve the funds by tomorrow at 9pm EST, we will proceeed with legal action pic.twitter.com/HPssUdWrWg
— GMBL.COMPUTER (🤑, ♻️) (@gmblcomputer) September 6, 2023
The clock is ticking, as they’ve set a deadline for the return: tomorrow at 9 p.m. EST. If at least 90% of the funds are not returned by then, they have made it clear that legal action will follow.
Community Response and Recovery Efforts
This incident has sparked a flurry of reactions within the crypto community. Some have questioned the need for the bounty if the hacker’s identity is known, while others have raised concerns about the legality of GMBL COMPUTER taking legal action.
Despite these concerns, GMBL COMPUTER has managed to recover half of the stolen funds in their multisig wallet, thanks to the collective efforts of their community and supporters, including Samczsun, a researcher at Paradigm, and other professional sleuths. Moreover, they said they are actively working towards retrieving the remaining funds.
GMBL COMPUTER is a DeFi gambling protocol that aims to reward stakers with profits generated from casino games. This incident occurred shortly after the protocol’s launch, causing an over 75% drop in the value of their GMBL token, as per data on GeckoTerminal.