Contract Vulnerability Patch

in eos •  6 months ago


A vulnerability has been discovered in multiple contracts using notifications from other contracts. All parameters from notifications need to be explicitly checked as checking only contract name and action name is not sufficient.

Any contract relying on transfer notifications from eosio.token should add this check immediately:

if ( != _self) return;

If you execute business logic on only incoming transfers, but reuse transfer action for both incoming and outgoing transfers, please use:

if (transfer.from == _self || != _self ) return;

Note: This is a contract-level vulnerability and not a system vulnerability. Checks mentioned in this article are also seen in example code from B1 here:

Update: EOS Bet and many other contracts have patched this vulnerability in their contracts. Be sure to share the patch with any developers who may still be unaware.

Code to replicate will be released at a later date to maintain security of unpatched dApps.

Special thanks to Kedar from LibertyBlock and Ben from shEOS in testing the vulnerability.

Telegram  -  @eoscafeblock
Twitter  -  @eoscafeblock
Medium  -  @eoscafeblock
Steemit  -  @eoscafeblock
Website  -

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!