DuelBits Hack
Incident Overview
Duelbits crypto casino was exploited through access control breach, resulting in a loss of 4,643,315 USD.
Duelbits, a crypto casino and sports betting platform, experienced an exploit on February 13, 2024. The attacker gained access to a Duelbits wallet. The root cause of this exploit appears to be a loss of wallet access control.
The attacker stole various assets, including ETH, BNB, BUSD, USDT, SHIBA INU, and ApeCoin, totaling a loss of 4,643,315 USD. The stolen funds were bridged, exchanged to ETH, and transferred to another EOA address.
Attacker Address:
https://bscscan.com/address/0x3933924F…46a666
Funds Holder Address as of Feb 15, 2024:
https://bscscan.com/address/0x0428eEfB…7645f5
Malicious Transactions:
https://bscscan.com/tx/0x3bf414c5…999aa4
https://bscscan.com/tx/0x554d974b…55c580
https://bscscan.com/tx/0xe22ab335…f3be7e
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to DuelBits, these are the critical security checks that could have prevented this incident (February 2024).
- Verify all logic paths related to Private Key Compromised / Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
- 01
-
02
Web Archive https://archive.ph/kbAO7
- 03
Learn to Prevent the Next DuelBits
The DuelBits hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.