Analysis on the recharge “false notification” vulnerability of EOS DApp

by: SlowMist Security Team

translated by: Kai Jing(荆凯)@EOS42

1. the mechanism of vulnerability

The design that in an EOS smart contract, one can call another contract via the function require_recipient, which provides the contract developers with great convenience, but at the same time, brings new problem.

Let’s take the EOSBet DApp being attacked as an example:

2. reply the vulnerability

1. create a normal account of the attacker：aaaaaa

2. create a contract account of the attacker：cccccc，and deploy the smart contract used for attacking

3. target account of attack：eosbetdice11

We modify the official open source code by adding the print code to watch the call process:

4. start an attack

transfer from the attacker normal account：aaaaaa to malicious contract account：cccccc

From the message in console, we can see that the transfer function of eosbetdice11 is successfully invoked:

3. repair plan

Add the verification to ensure that the to in transfer function is equal to _self, in order to avoid the specific problem. If you have any questions, please contact us for help.

Get Best Software Deals Directly In Your Inbox