TL;DR On September 11th 2019, I stumbled upon FairWin.me, a suspicious and busy project on Ethereum responsible for $1.5m worth of gas usage in the last 30 days. In the following three weeks, I reached out to various members in the community and we discovered the following:
- Current contract contains a critical vulnerability
- $8 million worth of ETH stored in contract could’ve be stolen by admins
- Contract is filled with bugs and poor coding practices
- Pictures and emails on website are fake
- $250k was drained in a previous version of the contract
On September 26th, we decided to disclose the presence of vulnerabilities publicly, when the contract held close to 50k ETH (~$8m). On September 30th, 4 days after the disclosure, the contract held 0 ETH. In total, the contract received 687,598 ETH (~$125,000,000) before the Ponzi scheme collapsed.