The King of the Ether Throne: A Study in Smart Contract Vulnerabilities

Cryptocurrencies and blockchain technology have seen a massive surge in popularity in the last decade. This digital wave has given rise to numerous innovative projects, one of them being the “King of the Ether.” As a fascinating blend of digital currency and game theory, it has captivated the interest of many.

The “King of the Ether” – more than a game. It’s a project that highlights the importance of smart contracts in the cryptocurrency world. These self-executing contracts with the terms of the agreement directly written into code have the potential to revolutionize numerous industries. They promise trust, security, and efficiency, but as with all burgeoning technologies, there are hurdles to overcome.

Understanding The King of the Ether

The “King of the Ether” is a decentralized application (DApp) game built on the Ethereum blockchain. At its core, the game operates based on smart contracts. Players send Ether (ETH) to the contract to dethrone the current “King.” After taking the throne, the player joined the “Hall of Monarchs” and gained the right to receive the ether paid by the next king who would overthrow them. As a new king ascends, the cost to dethrone them rises, resulting in a larger potential payout for the deposed king. If no new successor appeared within 14 days, the “King of the Ether” game would reset and start again. The concept centers on a new king paying to claim the throne, expecting a higher offer from a future successor.

“King of the Ether” is no longer being updated – the contract works on the blockchain but new Kings will not be added to the “Hall of Monarchs”. 

Smart Contracts: The Key to the Throne

Smart contracts in the “King of the Ether” dictate the rules of the game. When a player pays the current price to the smart contract, the contract automatically dethrones the existing king, crowns the new one, and adjusts the price for the next contender. Blockchain games like “King of the Ether” are possible because of their automatic and decentralized execution.

However, using smart contracts poses challenges. Writing them meticulously is necessary to ensure their intended functionality. Exploiting vulnerabilities in blockchain contracts can have catastrophic consequences due to the irreversible nature of transactions.

The Code of the The King of the Ether contract

Below is a simplified version of the original KotET contract. 

contract KotET {
**address public king;  

uint public claimPrice = 100;  

address owner;**

//constructor, assigning ownership

**constructor() {  

    owner = msg.sender;  

    king = msg.sender;  

}**

//for contract creator to withdraw commission fees    **function sweepCommission(uint amount) {  

    owner.send(amount);  

}**

//fallback function    **function() {  

    if (msg.value < claimPrice) revert;  

    uint compensation = calculateCompensation();**

            **king.send(compensation);  

    king = msg.sender;  

    claimPrice = calculateNewPrice();  

}**

Smart Contract Vulnerabilities in King of the Ether

The King of the Ether Throne (KotET) contract functioned as expected in all situations, except when it attempted to send a payment to a contract account, such as an Ethereum Mist contract-based wallet.

The issue arose due to the contract inadvertently including a scant 2300 gas with each payment. Unfortunately, this was insufficient for an Ethereum Mist contract-based wallet to successfully process a payment, leading the wallet contract to fail.

When the wallet contract failed, the Ether originally sent by the KotET contract was returned. However, the KotET contract remained oblivious to this failed payment and continued processing. This led to an unfortunate situation. The incoming player was crowned King, despite the failed compensation payment to the preceding ruler. This issue further underscores the importance of careful error checking and compensation processing in smart contracts to avoid such scenarios.

The fatal flaw in the KotET contract lies in the use of address.send() and the lack of a mechanism to check for exception errors during a failed call.

Address.send() and address.transfer() are limited to a stipend of 2300 gas. While this limit serves as protection against reentrancy attacks, it can lead to failed fund transfers if the contract’s fallback function requires more than 2300 gas. In KotET’s case, an Ethereum mist “contract-based wallet” was used rather than a “contract account,” which caused a shortfall in gas during the payout to the dethroned King. As a result, Ether was returned to the KotET contract, no new king was crowned, and the contract became irrevocably stuck.

The Solution

The contract’s security could be enhanced by replacing king.send(compensation) with king.call.value(compensation) in the fallback function. Implementing this change would require a careful gas limit assignment. However, balancing the needs of both receiving wallet contracts and callers of the current contract proves to be an almost impossible task. Even then, the contract could be susceptible to a Denial of Service (DoS) attack. For instance, an attacker could create a contract with a fallback function that throws an exception (revert()), causing the contract to become permanently stuck.

Two potential solutions for the KotET issue include:

Throwing an exception and reverting the call by adding a revert function, which would prevent the contract from being stuck. However, additional steps would be needed to facilitate payment transfers. Possible methods include the contract owner sending batch payments or implementing a batch payout that guarantees payments are sent until the “jackpot” is depleted.

Implementing a withdraw pattern instead of a direct send call, structuring the contract such that a player can only cause their own withdraw to fail, not the rest of the contract. The downside to this pattern is reduced autonomy and increased user interaction.

Conclusion

The “King of the Ether” project highlights smart contract vulnerabilities. It emphasize the need for meticulous design, thorough testing, and robust error-checking. Lessons from this project can guide the blockchain community to build secure smart contracts. Attention to error-checking and compensation processing can improve their success. The future of cryptocurrency can be safer and full of potential with these precautions.

Want to read more about smart contract security? Read our article about the DAO Hack