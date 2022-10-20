Because of an abused Ethereum Alarm Clock contract, exploiters received more ETH-denominated reimbursements than anticipated.

The Ethereum Alarm Clock protocol allows users to plan future Ethereum transactions. Its transaction scheduling logic is implemented in smart contracts.

Peckshield, a blockchain security, and analytics company, disclosed the continuing hack earlier this morning.

We've confirmed an active exploit that makes use of huge gas price to game the TransactionRequestCore contract for reward at the cost of original owner. In fact, the exploit pays the 51% of the profit to the miner, hence this huge MEV-Boost reward. https://t.co/7UAI0JFv72 https://t.co/De6QzFN472 pic.twitter.com/iZahvC83Fp — PeckShield Inc. (@peckshield) October 19, 2022

The attacker begins the vulnerability by using a cancel() method on the Ethereum Alarm Clock contract with an unusually high transaction fee. The exploit happens in the next phase, when the transaction fee refund is computed incorrectly, resulting in a higher payout than planned.

As a result of the increased transaction charge, the exploiter receives a considerably larger ETH return. Under typical conditions, the user invoking the contract would get just a little more than their transaction charge.