Explained: The MetaWin Hack (November 2024)

MetaWin is an online casino that operates across multiple blockchains, including Ethereum and Solana. In November 2024, the platform experienced a hack in which an estimated $4 million was stolen from the project.

Inside the Attack

The root cause of this incident was a vulnerability in the platform’s “frictionless withdrawal system.” The purpose of this system is to make it easier for players to withdraw their winnings from the online casino. By reducing friction in the user experience, this feature is designed to make the casino more user-friendly and enticing to potential gamers.

However, this ease of performing withdrawals had negative repercussions when an attacker targeted the online casino. According to Richard “Skel” Skelhorn, the platform’s CEO, the attacker exploited a vulnerability in the frictionless withdrawal system to target the project’s hot wallets on the Ethereum and Solana blockchains. In total, an estimated $4 million in crypto was drained from the platform before being moved to Kucoin and a nested HitBTC service. 

An investigation by ZachXBT identified approximately 115 addresses associated with the attacker’s blockchain address, potentially indicating that the intrusion was performed by a group or a member of a cybercrime organization.

In the wake of the hack, MetaWin temporarily paused withdrawals, later restoring them for the majority of users. Skelhorn also took action to replace the stolen funds, including restoring balances from his own funds.

Lessons Learned from the Attack

The MetaWin hack demonstrates the importance of robust security for hot wallets. The MetaWin casino intentionally developed a low-friction method for players to withdraw their winnings from the platform since challenges in performing these withdrawals might make players less willing to use the platform. However, this approach places significant trust in the casino’s ability to differentiate between legitimate and malicious withdrawal requests for its hot wallets.

One common method for managing the security risks of hot wallets is to use cold or hardware wallets. However, this isn’t always an option for many platforms that need to support rapid withdrawals, like MetaWin and many crypto exchanges.

Managing the risk of hot wallets managed by smart contracts or other software requires comprehensive security audits before any code is released. Vulnerabilities found and fixed during the audit process don’t reach production, where they can lead to these expensive hacks. For help with auditing and securing your smart contracts, Web2 frontends, and security processes, reach out to Halborn.