Crypto casino platform GMBL.COMPUTER, launched on September 5, was exploited within hours, and 471 ETH (nearly $777,000) was drained.
The GMBL project, which promises to generate yield from casino games, has shut down its operations after the incident, promising to re-launch after all risks and bugs are examined and mitigated.
|1||Read Review||100% deposit bonus up to 5 BTC + 100 free spins||Visit|
|2||Read Review||Exclucive offer for our players 175% EXCLUSIVE BONUS on 1st Deposit||Visit|
|3||Read Review||Up to 600% on first deposit with crypto and 150 free spins||Visit|
|4||Read Review||6BTC OR 1200$ WELCOME OFFER! Only 30x Wagering Requirement!||Visit|
|5||Read Review||Exclusive 10% Rakeback And 200% Welcome Bonus Up To $1000 In Crypto||Visit|
|6||Read Review||Welcom Bonus 100% up to 1 BTC + 25 Free Spins||Visit|
|7||Read Review||100% deposit bonus on your first crypto payment||Visit|
|8||Read Review||Welcome Package of up to $500 or 5 BTC + 180 spins||Visit|
|9||Read Review||200% Crypto Bonus: 150% Sportsbook + 50% Casino||Visit|
|10||Read Review||275% deposit match bonus package||Visit|
The Exploit and Recovery
The exploited fund is roughly the same as that GMBL had generated in the presale of $GMBL. In a quick explanation, GMBL said, “Someone was able to spoof a call and get a signature from our server, then pass it to the contract and pull almost 500 ETH worth of GMBL out of the contract.” It added the hacker is fully doxxed.
“Thanks to our great community, we have all their information and will begin the process to recover funds. We are offering a bug bounty to not proceed with legal action if funds are returned. We have recovered half the funds stolen from the hacker to our multisig… We are working on recovering the remaining funds. Please be patient with us,” it said on September 6.
On September 8, the GMBL team published a blog, giving details of the exploit and its plans for re-launch.
“To the hacker: If you’d like us to treat this as a white hat, please send 90% of the funds back to our ARB MULTISIG 0x4263FDcddde978cc9239199Bf8533a064db9dF5E and keep 10% as a bounty. If we do not receive the funds by tomorrow at 9 pm EST, we will proceed with legal action,” the GMBL team sent a message to the exploiter.
The exploiter returned 235 ETH (nearly $243,631.17).
On September 7, the team submitted a proposal to ParaSwap DAO to recover an additional $243,631.17.
What Caused The Hack?
The GMBL team pinpointed the flaw in the platform’s referral system that allowed the perpetrator to place bets without depositing funds and use them to generate referral bonuses.
“The exploiter was able to place “Ghost” bets with account 1, which was referred by account 2. The amount being bet in the “Ghost” bets was massive, so much so that account 2 was able to claim over 8 million $GMBL in referrals before we stopped the exploit,” it said in the Medium blog.
GMBL said operations will re-launch once the team is confident all additional attack vector risks and bugs are mitigated.
“Manual withdrawal approvals will be added for large withdrawals along with safeguards around referral claims. Additional protection and safety measures will be added for increased security. We have engaged with third-party technical resources for the review of every line of code in our internal systems and infra stack,” it added.