Contract Vulnerability Patch

in eos •  6 years ago 

0_bEkw5MVJBwR-sZfj.png

A vulnerability has been discovered in multiple contracts using notifications from other contracts. All parameters from notifications need to be explicitly checked as checking only contract name and action name is not sufficient.

Any contract relying on transfer notifications from eosio.token should add this check immediately:

if (transfer.to != _self) return;

If you execute business logic on only incoming transfers, but reuse transfer action for both incoming and outgoing transfers, please use:

if (transfer.from == _self || transfer.to != _self ) return;

Note: This is a contract-level vulnerability and not a system vulnerability. Checks mentioned in this article are also seen in example code from B1 here: https://gist.github.com/tbfleming/d230f3ab2998e8858d3e51af7e4d9aeb

Update: EOS Bet and many other contracts have patched this vulnerability in their contracts. Be sure to share the patch with any developers who may still be unaware.

Code to replicate will be released at a later date to maintain security of unpatched dApps.

Special thanks to Kedar from LibertyBlock and Ben from shEOS in testing the vulnerability.

Telegram  -  @eoscafeblock
Twitter  -  @eoscafeblock
Medium  -  @eoscafeblock
Steemit  -  @eoscafeblock
Website  -  www.eoscafeblock.com

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @eoscafeblock! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!