Eos: Vulnerability

Created on 12 Oct 2018  Â·  8Comments  Â·  Source: EOSIO/eos

My issue have closed. I checked and still I think it is not correct. I signed a transaction with my contract not with eosio.token contract !!! And I have completely deleted the keys to eosio.token and eosio from my wallet.

balance_contract

step one for eosio.token

cleos push action eosio.token create '[ "eosio", "1000000000.0000 EOS"]' -p eosio.token@active
cleos push action eosio.token issue '[ "alice", "100.0000 EOS", "memo" ]' -p eosio@active
cleos push action eosio.token issue '[ "bob", "100.0000 EOS", "memo" ]' -p eosio@active

step two for balance contract

cleos set contract balance ~/contracts/EOS_projects_1.0.1/balance/

cleos set account permission alice active '{"threshold": 1,"keys": [{"key": "MY_KEY","weight": 1}],"accounts": [{"permission":{"actor":"balance","permission":"active"},"weight":1}]}' owner -p alice

cleos set account permission bob active '{"threshold": 1,"keys": [{"key": "MY_KEY","weight": 1}],"accounts": [{"permission":{"actor":"balance","permission":"active"},"weight":1}]}' owner -p bob

cleos set account permission balance active '{"threshold": 1,"keys": [{"key": "MY_KEY","weight": 1}], "accounts": [{"permission":{"actor":"balance","permission":"eosio.code"},"weight":1}]}' -p balance@owner

Step third deposit

cleos push action balance deposit '["alice", "10.0000 EOS"]' -p alice@active

cleos get currency balance eosio.token balance
return >>> 10.0000 EOS
cleos get table balance balance balance.of
return >>> 
{
  "rows": [{
      "owner": "alice",
      "eos_balance": "10.0000 EOS"
    }
  ],
  "more": false
}

step four Vulnerability transfer

cleos transfer balance bob '5.0000 EOS' -p balance@active
return >>>
executed transaction: 37b5cfd0bfd135e62f11e8ed43133c2f20906f74d33b010a84b767ada390bd08  128 bytes  2010 us
#   eosio.token <= eosio.token::transfer        {"from":"balance","to":"bob","quantity":"5.0000 EOS","memo":""}
#       balance <= eosio.token::transfer        {"from":"balance","to":"bob","quantity":"5.0000 EOS","memo":""}
#           bob <= eosio.token::transfer        {"from":"balance","to":"bob","quantity":"5.0000 EOS","memo":""}
warning: transaction executed locally, but may not be confirmed by the network yet    ] 

cleos get currency balance eosio.token balance
return >>> 
5.0000 EOS

cleos push action eosio.token transfer '[ "balance", "bob", "1.0000 EOS", "memo" ]' -p balance@active
return >>>
executed transaction: cc3ecb999ccb6eb3e80027c9b1b17c5adf9e5d48b4974a7e261cf57365ccb330  136 bytes  2068 us
#   eosio.token <= eosio.token::transfer        {"from":"balance","to":"bob","quantity":"1.0000 EOS","memo":"memo"}
#       balance <= eosio.token::transfer        {"from":"balance","to":"bob","quantity":"1.0000 EOS","memo":"memo"}
#           bob <= eosio.token::transfer        {"from":"balance","to":"bob","quantity":"1.0000 EOS","memo":"memo"}
warning: transaction executed locally, but may not be confirmed by the network yet    ] 

cleos get currency balance eosio.token balance
return >>>
4.0000 EOS
picture liderako

All 8 comments

I ask not to close the issue until the question is really closed! I'm not use private_key eosio.token!
closed_issue

liderako picture liderako on 12 Oct 2018
😕1

I won't see any issue here. In your example, alice & bob have already given their active permission to balance@active, which means "balance" can do anything that alice & bob can do with "active" permission. In the reality, a user will not give his/her active permission to an untrustable account.

taokayan picture taokayan on 12 Oct 2018

@taokayan
how do you make a deposit without these permissions ??! why are you so not friendly!! closed issues... again!

liderako picture liderako on 12 Oct 2018

I took the dice as a basis.

liderako picture liderako on 12 Oct 2018

Ignore dice. It’s bad code scheduled for deletion. Contracts shouldn’t attempt to transfer funds from users’ accounts. Instead, users should transfer to contracts, and contracts may transfer to users.

tbfleming picture tbfleming on 12 Oct 2018

@tbfleming i don't understand. How to realize it.

Instead, users should transfer to contracts, and contracts may transfer to users.

Do u have example?

liderako picture liderako on 12 Oct 2018

This example is out of date. The code needs to be updated, but the approach follows current guidelines for handling funds:
https://gist.github.com/tbfleming/d230f3ab2998e8858d3e51af7e4d9aeb

tbfleming picture tbfleming on 12 Oct 2018
👍1

@tbfleming oh i understand. now, but if the user makes a deposit. I do not need his permission to trigger an action transfer in eosio.token. The main problem remains. Because i call cleos push action eosio.token transfer '[ "balance", "bob", "1.0000 EOS", "memo" ]' -p balance@active

liderako picture liderako on 12 Oct 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zxf969175364 picture zxf969175364  Â·  3Comments
hadramidah picture hadramidah  Â·  3Comments
jiazechen picture jiazechen  Â·  3Comments
williamleecn picture williamleecn  Â·  3Comments
christola picture christola  Â·  3Comments