Overview of Fomo3D
Fomo3D, a Ponzi gambling blockchain game is taking the Internet by storm. Since its official launch on 2018-07-06, the value of the Pot was at 21,626.9552 ETH, total assets attracted by the game was valued at 95,759.365 ETH and total number of players reached as high as 18,258, as of 2018-07-26, 22:50. The appeal of the game to attract funds is undeniable, and yet, the true consequence is not the craze generated, but the butterfly effect brought on by Fomo3D - the rise of copycat contracts.
Copycat Contracts On the Rise
On July 20, the first copycat contract was released. On July 21, copycat incidents started trending as more copycat contracts emerged on the market. On July 22, more counterfeit smart contracts flooded the market, as funding, in big and small amounts, started trickling in one after another, and Fomo3D copycat contracts witnessed an explosive growth spurt. RatingToken's smart contract monitoring platform detected these “high-end replicas” and sent out preemptive alerts in the shortest time possible.
As of July 25, RatingToken's real-time monitoring and preemptive alert platform has been monitoring 156 copycat game contracts. On July 23, the number of copycat games saw the highest increase, with 45 new contracts daily. The increase in new copycat contracts has since slowed down.
Statistics on daily new copycat contracts:
Number of daily new Fomo3D copycat contracts
Top ten copycat contracts in terms of participants:
Top 10 copycat games in terms of transaction volume:
Top 10 copycat games in terms of transaction amount:
Security Risk Analysis:
Among the 156 newly published copycat games, nearly 87.2% of the code in copycat contracts is highly similar to the original code in Fomo3D game. We conducted a detailed security audit on the contract code of the top three f3dplus games.
Contract address of the copycat game: 0x0f90ef4e2526E3D1791862574f9Fb26A0f39eC86
Contract code address: https://etherscan.io/address/0x0f90ef4e2526E3D1791862574f9Fb26A0f39eC86#code
Game homepage: https://f3dplus.me/play (First round of the game has concluded)
The game ended at 9:46 am on July 26 and the final reward should be assigned to 0x70c03a455a7c7de208ca5b97488212832b8ce157 according to the rules of the game. However, RatingToken has yet to detect any reward-related transactions, and 64 transactions were still pending confirmation after the game ended.
Through the audit, we discovered the following modification to the copycat contract, with four inherent risks:
The copycat code modified the game timer to be set at 8 minutes initially. Every purchase of a Key increases the timer by 1 second, and the timer will not exceed 10 minutes. This modification reduces the time frame needed to obtain the rewards, and picks up the pace and excitement of the game to attract even more profit-seeking players.
Risk 1 - Random-number-generator vulnerability:
The airdrop function is consistent with the original official code and contains a random-number-generator (RNG) vulnerability. As the RNG algorithm is open and available to anyone on Ethereum, the attacker can calculate the probability of an airdrop for the next transaction before making a key purchase, thereby maximizing the chances of obtaining the airdrop reward. Ethereum core developer Péter Szilágyi has also shared on Reddit an attack code targeted at the vulnerability. Also, the address 0x73b61a56cb93c17a1f5fb21c01cfe0fb23f132c3 has successfully exploited this vulnerability to get airdrop rewards from the official game itself.
Risk 2 - Calling an empty interface
The playerbook interface address of the copycat contract is modified as: 0x004f29f33530cfa4a9f10e1a83ca4063ce96df7149. Upon verification however, we discovered that the address does not exist. This may trigger abnormal execution of the contract and result in financial losses.
Risk 3 - Unclear allocation of funds
In the code, the fund allocation ratio is set by TeamFee. Taking Snake 2 as an example, the allocation scheme is set as: fees_=F3Ddatasets.TeamFee(52,10). This means that 52% of the funds are allocated to all key holders of the current round, 10% to the holders of p3d, 20% to the bonus pool, 10% to aff, 2% to com, 1% to swap, 1% to airdrops, but the remaining 4% is unaccounted for. Similarly, the fund allocation schemes of the teams corresponding to fees_, fees_ and fees_ are not transparent enough.
Risk 4 - Asset phishing
The greatest risk lies in how copycat contracts modify the amount to be earned from the purchase amount. From the code, we can see that half of the funds used for key purchase are transferred to the admin account of the contract creator. This type of phishing can quickly attract a large number of uninformed users to purchase copycat keys to get huge returns.
As copycat contracts are considered high-risk, please exercise caution. RatingToken reminds gamer to be prudent when participating in such games to prevent asset loss. The security team of RatingToken shall continue to monitor the development of copycat games and provide detailed vulnerability analysis and utilization reports, with the aim of cleaning up the cryptocurrency circle and safeguarding user asset security.
Introduction to RatingToken:
RatingToken is a data analysis agency incubating at “Blockchain Wave Lab” under Cheetah Mobile (NYSE: CMCM). Tapping on the rich and varied experience of Cheetah Mobile in security and tool development, we provides users with secure, practical technologies and products, so as to help build an eco-system where both users and partners truly benefit from the innovation of blockchain technology.
Established in April 2018, with the mission of “purifying the cryptocurrency circle”, RatingToken is committed to providing professional expertise on blockchain security. Drawing on its technical competency and big-data analysis, the team creates visually intuitive and easy-to-read references to help investors in their decision-making, while providing value to exchanges and investment institutions through real-time monitoring of ICO tokens.
List of partners:
Official website: https://ratingtoken.io/
Cooperation contact: http://firstname.lastname@example.org