A minor EOS-based token gets negative attention after the community discovered a decisive error in your code belonging to the token’s ill-fated airdrop.
Se7ens.io recently ran an airdrop that offered every 10,000 free tokens therefore to their followers. Unfortunately, the smart contract that executed the airdrop contained several flaws that concluded in an unlimited flow of tokens.
What Went Wrong
The security hole was discovered Thursday by Medium blogger cc32d9, who explained what Se7ens did wrong.
The airdrop utilized a basic smart contract called eosio.token, that is certainly secure and popular. However, Se7ens.io made several changes that demonstrated to be disastrous.
Notably, the usual “issue” and “transfer” functions were ignored with the smart contract. Se7ens instead counted on a custom “signup” function. As cc32d9 explains:
“[This] takes necessary amount of SEVEN tokens, and just gives the tokens for the user-the tokens appear magically [in] your.”
The smart contract also neglected to check the selection of tokens requested from the user. Simply because this had been overlooked, cc32d9 in a position request and become one billion tokens of your airdrop.
“Bug Bounty”
Cc32d9 would not get to keep his one billion tokens for lengthy. He posted a thread on Reddit that explained the problem, and shortly after, another user reported the bug to Se7ens on Telegram. Se7ens replied using the following message:
“Thanks for your time we will handle fixing that. It is better to learn about things such as that before we become listed. Stay tuned for updates.”
Se7ens’ fix involved using the tokens back from cc32d9, merely subsequently rewarded with 100,000 tokens for a bug bounty. This was done silently, leaving no record of transactions within the user’s history.
This decision had not been well-received by the community. Although cc32d9 couldn’t obtain the tokens fairly, Se7ens’ scarcity of transparency and readiness to confiscate tokens cast further doubt on your project.
Yet Another Bug
It looks like EOS can’t catch an opportunity: the platform has been host to a number of smart contracts with fatal flaws since its launch in June. Lately, EOSBet was found to have bug that allowed attackers to steal 40,000 EOS tokens.
It’s not yet determined what exactly is causing EOS’s influx of badly coded smart contracts — nor is it clear whether EOS is generally worse designed to cure than any blockchain.
In this case, though, much of the blame will lie upon Se7ens’ developers. As cc32d9 notes, modifications in to the standard eosio.token contract usually are unnecessary, and changes certainly must not be made without extensive testing. Se7ens’ modifications were undeniably reckless.