Contract Vulnerability Patch

EOS Cafe Block
Oct 15, 2018 · 1 min read

A vulnerability has been discovered in multiple contracts using notifications from other contracts. All parameters from notifications need to be explicitly checked as checking only contract name and action name is not sufficient.

Any contract relying on transfer notifications from eosio.token should add this check immediately:

if (transfer.to != _self) return;

If you execute business logic on only incoming transfers, but reuse transfer action for both incoming and outgoing transfers, please use:

if (transfer.from == _self || transfer.to != _self ) return;

Note: This is a contract-level vulnerability and not a system vulnerability. Checks mentioned in this article are also seen in example code from B1 here: https://gist.github.com/tbfleming/d230f3ab2998e8858d3e51af7e4d9aeb

Update: EOS Bet and many other contracts have patched this vulnerability in their contracts. Be sure to share the patch with any developers who may still be unaware.

Code to replicate will be released at a later date to maintain security of unpatched dApps.

Special thanks to Kedar from LibertyBlock and Ben from shEOS in testing the vulnerability.

Telegram — @eoscafeblock
Twitter — @eoscafeblock
Medium — @eoscafeblock
Steemit — @eoscafeblock
Website — www.eoscafeblock.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store