Skip to content

Repository of EOS Smart Contract known attacks to help devs prevent known vulnerabilities in their contracts

Notifications You must be signed in to change notification settings

EOSArgentina/eos_known_attacks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 

Repository files navigation

Example Vulnerable Code

Not checking properly code against eosio.token on transfer

Vulnerable code was first posted on stack exchange and used by several dapps which got hacked.

// extend from EOSIO_ABI
#define EOSIO_ABI_EX( TYPE, MEMBERS )
extern "C" {
   void apply( uint64_t receiver, uint64_t code, uint64_t action ) {
      auto self = receiver;
      if( action == N(onerror)) {
         /* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */
         eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account");
      }
      if( code == self || code == N(eosio.token) || action == N(onerror) ) {
         TYPE thiscontract( self );
         switch( action ) {
            EOSIO_API( TYPE, MEMBERS )
         }
         /* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
      }
   }
}

EOSIO_ABI_EX(eosio::charity, (hi)(transfer))

An improved version was later added.

if( ((code == self && action != N(transfer)) || (code == N(eosio.token) && action == N(transfer)) || action == N(onerror)) ) { 

About

Repository of EOS Smart Contract known attacks to help devs prevent known vulnerabilities in their contracts

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published