GMBL Computer Exploit Details
We want to dive deeper into the exploit, and explain what happened in detail.
- The GMBL Computer system, and how it works:
GMBL Computer is a DeFi protocol that generates yield from Casino Games. All profits generated from the games are sent to stakers, who stake xGMBL and recieve a proportional share of this weekly. All activity on our platform is in $GMBL, our native platform currency. So every bet, payout, referral claim, and yield claim is in $GMBL/xGMBL.
2. The part of the system that got exploited was the referral system. Here is how it works:
Send your referral link to a friend, and if they connect a wallet on our site using your link, you make 5% of their in-game losses in perpetuity, on any game.
Users can go to their profile and copy their unique referral link, and also claim the referral bonuses they earned from this link.
When a user claims their referrals, we tally all the losses of people they referred since they last claimed, credit them 5% of this balance, and it gets added right to the user’s in game balance.
3. Here is what the attacker did to exploit it:
The attack was embarrassingly simple, and reflects poorly on the GMBL Team to overlook this attack vector.
The attacker was able to place “Ghost” bets on the crash game by passing information directly to the route. We accounted for users attempting this, so the bets did not count, the user would not be able to cash out, and all would be well. This part of the system worked as expected, and was not directly exploited.
However, where we made the mistake was the “Ghost” bet was being registered as a loss for the user. So, any user that referred them would be able to claim 5% of these “Ghost” bet losses, even though the bet was never there to begin with.
The exploiter was able to place “Ghost” bets with account 1, which was referred by account 2. The amount being bet in the “Ghost” bets was massive, so much so that account 2 was able to claim over 8 million $GMBL in referrals before we stopped the exploit.
It was a one-line fix that cost our community almost a million dollars, and has now been rectified.
4. Here is what we are doing to make sure this doesn’t happen again:
There are only two places where in-game balances are adjusted for users; when betting on games, and when claiming referrals.
We are doubling down on testing these things to prevent any more potential attacks through the game itself.
Our smart contracts are already audited by Halborn, however, we are bringing in a team to audit our server code as well.
We are adding manual withdrawal approvals above certain amounts, the amount to be determined.
Finally, we are adding checks to the referral system to prevent any sort of exploit from happening again through this vector.
Conclusion
We let you down. We have found the exploiter and are working on recovering all funds lost to this exploit. This will not happen again — we will delay a re-launch of the platform until we have an ironclad security system that should have been there from day one. We deeply apologize to all community members that were affected, and will take the right steps to do this right one final time.
Thank you,
The GMBL Computer Team.
