SmartBillions, a so-called fully decentralized and transparent lottery system, managed by an Ethereum smart contract, recently challenged hackers to get through its smart contract’s security, and added a 1,500 Ether ($450,000) reward to be collected by anyone that managed to compromise it.
The goal was to demonstrate “the SmartBillions lottery smart contract’s comprehensive security.” Initially, according to a press release, the prize was to be collected by any hacker that managed to break into the smart contract and withdraw the funds, as a way to prove how serious the team took investor protection. The team stated:
“The development team is so confident in their product and its security that they will risk their own funds (1500 ETH), to demonstrate its safety.”
A few days later, the issued challenge seemingly backfired, as a hacker did manage to compromise the smart contract. The hacker, according to a Reddit thread, essentially managed to game the system and force it to make him win large amounts. The hacker managed to withdraw 200 ETH twice, before the contract’s admin pulled the remaining funds and cut his losses, as visible in the contract’s address.
SmartBillions reacted to the occurrence by congratulating the individual – or individuals, as they point to two hackers – who managed to withdraw the funds.The team behind the smart contract-based lottery system even added that they’d rather see it happen now, than during the ICO, and even announced a new hackathon, following a smart contract revision. The team wrote:
“We witnessed the best possible scenario as the breach was revealed during the hackathon process, rather than during the ICO. We strongly believe in this community audit mechanism and, as a result, we’re launching the next hackathon today, following a revision of the smart contract conditions.”
Various users believe that SmartBillions’ team wasn’t fair with the hacker(s)that managed to withdraw some of the funds, as the bounty was of 1,500 Ether, not whatever they could get before the team pulled the funds.
Given that the project’s members remain anonymous, and that they used a backdoor to pull the remaining funds, many now believe the incoming ICO might not be safe for investors, as the same thing can happen after users send over their money.
The new hackathon will also have a 1,500 Ether prize, and will start, according to the organization’s website, seven days before the ICO starts on October 16. This time, as various users pointed out, the hackathon will get a lot more attention than what it did before, so the team needs to thoroughly review the code.