Contract Vulnerability Patch
A vulnerability has been discovered in multiple contracts using notifications from other contracts. All parameters from notifications need to be explicitly checked as checking only contract name and action name is not sufficient.
Any contract relying on transfer notifications from eosio.token should add this check immediately:
if (transfer.to != _self) return;
If you execute business logic on only incoming transfers, but reuse transfer action for both incoming and outgoing transfers, please use:
if (transfer.from == _self || transfer.to != _self ) return;
Note: This is a contract-level vulnerability and not a system vulnerability. Checks mentioned in this article are also seen in example code from B1 here: https://gist.github.com/tbfleming/d230f3ab2998e8858d3e51af7e4d9aeb
Update: EOS Bet and many other contracts have patched this vulnerability in their contracts. Be sure to share the patch with any developers who may still be unaware.
Code to replicate will be released at a later date to maintain security of unpatched dApps.
Special thanks to Kedar from LibertyBlock and Ben from shEOS in testing the vulnerability.