ReplaySafe Contract Stealing funds ??? #1128
Comments
|
@goodday1 please excuse my late reply. There are currently two replaysafe/split-contracts:
(ii) is based on (i) with the addition of token support and got integrated into the send interface of Ethereum-Wallet. Using the replaysplit option on the wallet's send screen should prohibit the use of Should you be using any of (i) or (ii) as a custom contract or invoke it via a command-line interface of any ethereum node, you won't be protected from specifying I tried to gather some statistics about lost Ether on (i) and (ii): (i) 22 of 88929 TXs (0.025%) affected (ii) 1 of 340 TXs (0.294%) affected Source code (python): import json, requests, time
urlPrefix = "http://api.etherscan.io/api?module=account&action=txlist&address=0x1cA4A86BBa124426507d1EF67Ad271CC5A02820a&startblock="
urlMid = "&endblock="
urlSufix = "&sort=asc&apikey=YourApiKeyToken"
firstBlock = 1920419
latestBlock = int(json.loads(requests.get(url="https://api.etherscan.io/api?module=proxy&action=eth_blockNumber").text)['result'], 0)
chunkSize = 10000
txs = []
ether = 0
for i in range(firstBlock, latestBlock, chunkSize):
print("Scanning block " + str(i) + " to " + str(i + chunkSize) + " - " + str(100*(i - firstBlock) / (latestBlock - firstBlock)) + "%")
data = json.loads(requests.get(url=urlPrefix + str(i) + urlMid + str(i + chunkSize) + urlSufix).text)['result']
for k in range(0, len(data)):
if (data[k]['input'][10:74] == '0000000000000000000000000000000000000000000000000000000000000000'):
txs.append(data[k]['hash'])
ether += int(data[k]['value'])
print("Total lost ETH: " + str(float(ether)/(10**18)) + "\nList of Transactions:")
for tx in txs:
print(tx)To check locally instead of using etherscan.io's API you can use this code (node.js): var Parallel = require('paralleljs')
var Web3 = require('web3');
var _ = require('underscore');
var web3 = new Web3(new Web3.providers.HttpProvider("http://localhost:8545"));
var startBlock = 1920419;
var endBlock = web3.eth.blockNumber;
var chunks = [];
var chunksCount = 10
var step = Math.floor((endBlock - startBlock) / chunksCount);
for (var i = 0; i < chunksCount; i ++) {
chunks.push(_.range(startBlock + i*step, startBlock + i*step + step));
}
console.log(chunks)
var p = new Parallel(chunks);
function scan(chunk) {
var Web3 = require('web3');
var web3 = new Web3(new Web3.providers.HttpProvider("http://localhost:8545"));
console.log('processing block', chunk[0], '-', chunk[chunk.length - 1]);
chunk.forEach((blocknumber) => {
console.log(blocknumber)
var block = web3.eth.getBlock(blocknumber);
for (var i in block.transactions) {
var tx = web3.eth.getTransaction(block.transactions[i]);
if (tx.to == '0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444') {
var input = tx.input;
console.log(blocknumber + ' - 0x' + input.slice(34,74));
if (input.slice(34,74) == 0)
console.log(tx.hash);
}
}
})
return 0;
}
p.map(scan);
Unfortunately it is not possible to retrieve the lost ether. |
|
There is also 0xaBbb6bEbFA05aA13e908EaA492Bd7a8343760477 You can read the details here: https://medium.com/@chevdor/safer-version-of-the-replaysafesplit-smart-contract-a29c347e8a7#.xhfg8z383 This version adds some checks to prevent users/clients errors. So the contract will throw if you call it without funds or if any of the 2 addresses is missing. |
|
Thank you @chevdor for pointing this out! |
|
This thread has been automatically locked because it has not had recent activity. Please open a new issue for related bugs and link to relevant comments in this thread. |
Version:
0.8.2OS & Version: windows10 64bit Node type: `geth(default)I just updated to version 8.2 of ethereum wallet. I ran the wallet which was already synced, then executed the REPLAYSAFECONTRACT (from ethereum blog) to split 92 ethers in one of my accounts
I double checked both addresses, fork and no fork to make sure they are correct, then put in my password to execute and instead of splitting my ether it sent 92 ethers to this address without splitting.
http://etherscan.io/address/0x0000000000000000000000000000000000000000
contract execution : http://etherscan.io/tx/0xacf45617a60827ceb931a419034af9da97b5676e17107c547c9c11b04db1355a
my address with classic and ether balance : http://etherscan.io/address/0x6Cf0569bf06069e27fca1Ff3d6cb398116F0a097
address I tried to split classic to(poloniex) : https://gastracker.io/addr/0x850e230251913fdcdde0da6bfb53f338f6f7b021
How is this possible and why would it happen? How do I get my ethers back ?
The text was updated successfully, but these errors were encountered: