EOS user exploits ‘dumb’ smart contract to make 1B tokens magically appear

Warning! There is a strong chance this will give readers a sense of déjà vu.
Another EOS EOS decentralized app (dApp) has severely botched an airdrop. This time, fledging gambling platform Se7ens is in the spotlight, after a community member managed to credit himself with a billion tokens by exploiting its poorly made smart contract.
Se7ens, an EOS-powered dice game, announced it would be distributing exactly half of its seven billion token supply to EOS holders. Developers were meant to send 10,000 tokens to each participating account, but instead were forced into sending so much more.
Below, we can see Se7en’s smart contract ‘mistakenly’ credit an EOS account with one billion SEVEN tokens. Shortly after, the tokens mysteriously disappeared.

“After I published [what happened] on Reddit, [SE7EN] silently cut my balance to 100,000 tokens and called it a bug bounty,” the account holder wrote. “I didn’t even receive any transaction in my history, and the tokens have magically disappeared. So, the team assigns themselves a freedom to modify user balances at will. I wonder how they plan to be listed on an exchange with such treatment of their assets.”
Problems arose when the user noticed developers failed to build Se7en’s smart contract correctly. Strangely, they did not use the standard, pre-built EOS functions made specifically for sending tokens – “issue,” and “transfer.”
This meant cryptocurrency suddenly appeared in user accounts, rather than being transferred over the blockchain. There is no trace of the transactions being confirmed by the network.
To make matters worse, devs did not add any checks to ensure the amounts sent by its airdrop were correct. This is the security flaw that allowed the user to instantly credit himself with 100,000 times the intended amount.
This isn’t even the first time EOS dApp developers have screwed up an airdrop.
Truly, small-time cryptocurrency platform Trybe recently drew community ire after it suddenly accessed user accounts to retrieve tokens mistakenly sent by its smart contract-powered airdrop.
Source: The Next Web
To Read Our Daily News Updates, Please visit Inventiva or Subscribe Our Newsletter & Push.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker