Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

EarnHub is another blockchain based product. They were attempting to do some asset holding project. The more money and the longer the money was in, the more money you would get back.

The smart contracts used an interface with two main functions. This interface had a function called makeHop to allow the transferring of their shares between different pools. To move the money to a new pool, you specify the address of the contact to use. When this happens, the function receiveHop from the new contract is called.

The function makeHop has an error in its handling. When it calls the approve function for the pool, it allows transfer for the total supply of the pool. When, in reality, it should only be the amount that is accessible from the pool itself. A malicious user can call makeHop to a malicious pool they control to drain all of the funds rather than just the user shares.

The attack goes as allows:

1. The attacker creates two contracts: earner and leecher.
2. On the earner contract they buy EarnHub and stake it.
3. The earner contract hops to the leecher contract.
4. The leecher contract drains all of the funds from the staking contract by calling transferFrom many times.

Although cryptocurrency hacks are interesting, there are incredibly painful and sad to see. On the EarnHub website is the chilling text "EarnHub has been exploited. Most funds have been stolen. The project is canceled. Yikes!

When calling other contracts, you need to be very careful the data that can be accessed and the powers that they contain.