Analysis on the recharge “false notification” vulnerability of EOS DApp
by: SlowMist Security Team
translated by: Kai Jing(荆凯)@EOS42
1. the mechanism of vulnerability
The design that in an EOS smart contract, one can call another contract via the function require_recipient, which provides the contract developers with great convenience, but at the same time, brings new problem.
Let’s take the EOSBet DApp being attacked as an example:
2. reply the vulnerability
- create a normal account of the attacker：aaaaaa
2. create a contract account of the attacker：cccccc，and deploy the smart contract used for attacking
3. target account of attack：eosbetdice11
We modify the official open source code by adding the print code to watch the call process:
4. start an attack
transfer from the attacker normal account：aaaaaa to malicious contract account：cccccc
From the message in console, we can see that the transfer function of eosbetdice11 is successfully invoked:
3. repair plan
Add the verification to ensure that the to in transfer function is equal to _self, in order to avoid the specific problem. If you have any questions, please contact us for help.