Securing smart contracts is no easy task. This technology is relatively new and hence, we don’t yet have clear and widely acceptable best practices on how to build secure smart contracts. In this post, we will take a look at an example of a recent smart contract vulnerability and what can companies do to secure their smart contracts.
Eosbet is an EOS gambling dapp (decentralized application), basically an online casino. On the 14th of September, eosbet.io has been hacked. An unknown hacker cracked eosbet’s smart contract and was able to place bets, without actually betting any of his funds.
In essence, this hacker could place bets without actually risking his funds. If he lost, the funds would stay in his wallet, if he won, he got all the winnings. In just a few hours he managed to “win” around $200K (here’s a link to his wallet).
Later that day, an EOS developer Tang Hongbo has written a post on Reddit describing the vulnerability and suggested fixes.
Eosbet has responded in comments and released an official statement explaining what has happened with their platform and how they have fixed the vulnerability.
EOSBet uses ABI forwarder that helps to listen to contract interactions. A lot of other contracts are using the same ABI forwarder. After discovering this attack, they are in danger of the same vulnerability. This ABI forwards all actions if the calling contract is eosbetdice11(in our case) or eosio.token or if the action is an onerror coming from the eosio system contract.
The code below is vulnerable:
It doesn’t check whether transfer was from eosio.token, so attacker can call transfer directly from eosbetdice11, without transferring EOS to the contract. When he was losing bets, he didn’t lose money, but, when he was winning bets, he got all the prize.
Code was updated by the EOSBet team and below is the latest version:
They have deleted onerror part and added this code:
It ensures that eosbetdice11 transfers are not allowed and only eosio.token can make transfers.
How can you make your smart contracts more secure:
You can never guarantee 100% security, but you can significantly reduce the risk of a security incident. Here’s our take on what companies can do, to ensure the security of their smart contracts:
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.