EOS-Based Token Airdrop Accidentally Gives Away Unlimited Tokens

A minor EOS-based token is receiving negative attention after the community discovered a critical error in the code of the token’s ill-fated airdrop.

Se7ens.io recently ran an airdrop that offered a total of 10,000 free tokens to their followers. Unfortunately, the smart contract that executed the airdrop contained several flaws that resulted in an unlimited flow of tokens.

What Went Wrong

The security hole was discovered Thursday by Medium blogger cc32d9, who explained what Se7ens did wrong.

The airdrop utilized a standard smart contract called eosio.token, which is secure and widely used. However, Se7ens.io made several changes that proved to be disastrous.

Notably, the standard “issue” and “transfer” functions were ignored by the smart contract. Se7ens instead relied on a custom “signup” function. As cc32d9 explains:

“[This] takes the desired amount of SEVEN tokens, and just gives the tokens to the user…the tokens appear magically [in] your account.”

The smart contract also neglected to check the number of tokens requested by the user. Because this had been overlooked, cc32d9 managed to request and obtain one billion tokens from the airdrop.

Suggested ReadingLearn more about EOS in our beginner’s guide.

Bug Bounty”

Cc32d9 did not get to keep his one billion tokens for long. He posted a thread on Reddit that explained the situation, and shortly after, another user reported the bug to Se7ens on Telegram. Se7ens replied with the following message:

“Thank you we will work on fixing that. It’s best to learn about things like that before we get listed. Stay tuned for updates.”

Se7ens’ fix involved taking the tokens back from cc32d9, who was subsequently rewarded with 100,000 tokens as a bug bounty. This action was carried out silently, leaving no record of transactions in the user’s history.

This decision was not well-received by the community. Although cc32d9 did not obtain the tokens fairly, Se7ens’ lack of transparency and readiness to confiscate tokens cast further doubt on the project.

Yet Another Bug

It seems that EOS can’t catch a break: the platform has been host to a number of smart contracts with fatal flaws since its launch in June. Most recently, EOSBet was found to contain a bug that allowed attackers to steal 40,000 EOS tokens.

It’s not clear what exactly is causing EOS’s influx of badly coded smart contracts — nor is it clear whether EOS is in fact worse in this regard than any other blockchain.

In this case, though, much of the blame lies on Se7ens’ developers. As cc32d9 notes, modifications to the standard eosio.token contract are generally unnecessary, and changes certainly should not be made without extensive testing. Se7ens’ modifications were undeniably reckless.

The post EOS-Based Token Airdrop Accidentally Gives Away Unlimited Tokens appeared first on UNHASHED.