Skip to content
Repository of EOS Smart Contract known attacks to help devs prevent known vulnerabilities in their contracts
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

Example Vulnerable Code

Not checking properly code against eosio.token on transfer

Vulnerable code was first posted on stack exchange and used by several dapps which got hacked.

// extend from EOSIO_ABI
#define EOSIO_ABI_EX( TYPE, MEMBERS )
extern "C" {
   void apply( uint64_t receiver, uint64_t code, uint64_t action ) {
      auto self = receiver;
      if( action == N(onerror)) {
         /* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */
         eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account");
      }
      if( code == self || code == N(eosio.token) || action == N(onerror) ) {
         TYPE thiscontract( self );
         switch( action ) {
            EOSIO_API( TYPE, MEMBERS )
         }
         /* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
      }
   }
}

EOSIO_ABI_EX(eosio::charity, (hi)(transfer))

An improved version was later added.

if( ((code == self && action != N(transfer)) || (code == N(eosio.token) && action == N(transfer)) || action == N(onerror)) ) { 
You can’t perform that action at this time.