
Security researcher Pascal Caversaccio received a tip early this week that allowed him and a group of security researchers to stop a hacker in their tracks.
Seal 911, a crypto bug reporting support desk on Telegram, is operated by Telegram. With the help of Caversaccio and his fellow security researchers, Caversaccio has become the first responder to crypto hacks.
The tip alerted Seal 911 to a vulnerable intelligent contract at dice9win, a Protocol that allows users to play games of chance, such as coin flips and dice games.
The hacker exploited the vulnerability to bet on the outcome of coin Flip games, but never lose money.
Seal 911 responders, Igor Igamberdiev, said they worked with Caversaccio to confirm the bug.
By the time the tip off happened, the hacker had already earned $25,000 from dice9win.
And with another $200,000 at risk in the same contract, the race was on to remove funds and patch the bug before the hacker could strike again.
Caversaccio said he and Igamberdiev confirmed the bug and contacted a team member at dice9win, who quickly withdrew funds from the vulnerable contract and deployed a patch.
The response to Seal 911 helped prevent a $200,000 theft, he said.
Set up in August, Seal 911 enables bug reporters to open a direct line to over 30 crypto whitehats, auditors, and other security leaders. With an automation system, it asks questions to those reporting bugs and forwards their answers to the team of security experts.
Samczsun, head of security at Paradigm and one of Seal 911 creators, said the help desk is an 'experimental solution' and tries to solve the hardest part of responsible bug disclosure: finding the right person to talk to.
The speed at which Seal 911 was able to connect the bug reporter to security experts was crucial to avoiding further losses.
Caversaccio said the event marks the first time that the SEAL 911 team had been able to stop hackers in their tracks.
Igamberdiev detailed the dice9win exploit in an X post, explaining that the exploiter utilized a malicious contract for each coin flip bet.
If the exploiter won the bet, the contracts would redirect money to their wallet. If they lost, the malicious contract reverted the bet transaction.
Thanks to this reversal, the state in dice9win's contracts wasn't updated, leaving the bid in a pending state. The exploiter would then withdraw the pending bet eight hours later.
''T risk anything other than locking up capital for a short time, having the opportunity to steal money from the casino,'' Igamberdiev said.
Crypto betting platform Dice9win has been hacked by hackers in recent weeks. Crypto casino Stake lost $41 million in September, according to a report.
Stake co-founder Edward Craven told DL News that hackers did not breach the password-like private keys that govern Stake's wallets, but were able to make a series of unauthorised transactions.
The FBI National Press Office said that the North Korean Lazarus Group was behind the Stake attack.
Mailing address: tim@dlnews.com