The 14th of September
EOSBetCasino | EOSBet.IO was hacked, someone placed a bet without transferring EOS, and users tried to figure out where the account turned out to be unprotected, which piece of code is written in a way that allows violations. One or the possible versions was faulty ABI, which allowed anyone to call the transfer function on behalf of the account owner. But, it appeared impossible to determine where the fault is without analysing the rest of code.
EOSBetCasino | EOSBet.IO
I can share the code. But the problem is our ABI forwarder just allows user to call eosbetdice11 -> transfer
Because it’s self OR eosio.token
Other attempts to detect the problem turned out to be unsuccessful too:
EOSBetCasino | EOSBet.IO
https://eosio.stackexchange.com/q/421/54
This is what we used. Ran it by a few people and had an audit. Unfortunately it doesn’t catch everything 😕
Seems like EOS.win was burned by this faulty ABI too
Zhao Yu@ EOSLaoMao.com
but you do check the token is EOS issued by eosio.token, no?
EOSBetCasino | EOSBet.IO
yes, but the check is faulty
Mathias Romeo
You can't distinguish that by just inspecting the transfer struct.
You need to assert that code is eosio.token when transfer action is received
EOSBetCasino | EOSBet.IO
Here is the code
if (code == self || code == N(eosio.token) || action == N(onerror))
EOSBetCasino | EOSBet.IO
code == self || code == N(eosio.token)
the OR 😩
allows you to just call transfer directly on the contract and place a bet
We are simulating the attack, you need to submit a raw transaction data unless you have the transfer in your abi
It’s quite simple sadly. It just allows you to call the transfer function directly on your contract. Simulating a bet
Dafeng Guo | @eosasia | myeoskit.com
https://www.myeoskit.com/#/tx/58ed3541139bba3f91c11c4981052b2d00bfe7ec6cf20208d357c75cc9f943fc this is the tx
Cesar Nebula Protocol
I think we should enforce ABI validation, as a firewall for contracts
Michael Fletcher | EOS42
You can get around this easily with assertions, just make sure only valid users can call those publicly available functions
In this case I don't understand why there's a transfer function, I'd expect people to transfer to the contract directly and then the contract receives a require recipient notification, which then it can do its thing
And you just need to assert that the transfer is from eosio.token
Dafeng Guo | @eosasia | myeoskit.com
likely because of this faulty answer: https://eosio.stackexchange.com/questions/421/how-to-do-something-when-your-contract-is-an-action-notification-recipient-like
nsjames | Scatter
https://github.com/GetScatter/RIDL-Contracts/commit/c6864fe8f595067fc3c6a351328ad2842cf02ab4#diff-fdbbe3eca1f0a0b466b6712ca7ef1044L176 This was possibly the bigger culprit. It was added to API but not specified in the ABI as an action
Sharif Bouktila - eosDublin](https://t.me/sharifbouktila)
Hello BPs. Regarding ECAF's latest order A009. The blacklist was broken and funds transferred
- 9 Sept 2018 at 2316 UTC the blacklist order was given on-chain for the account huobldeposit (note the attempt by the alleged hacker to cause confusion with a similar exchange account name) https://bloks.io/transaction/9a77411471514c9a5ad4add79839b7bbeee402e4b52f9113fb19c1c5ba50abbe
- 10 Sept 2018, 1342 UTC (14 hrs after order): an outgoing transaction was made transferring 5 EOS. https://bloks.io/transaction/c9937d64bf5411b8c13289c34a5414593001c1ba33062e0249a8c8f9994baa7d
- 10 Sept 2018, 1810 UTC (18 hrs after order): the remaining funds in the account were transferred out to OTCBTC https://bloks.io/transaction/95f4a17084cee04553564c65bf36bef7ccf571123e3d280152465870d82fa1d7
Moti T | ECAF
So:
- If a BP gets promoted who is not part of the active list the blacklist is broken
- If a BP is late to reading the notices it gets broken
Kevin Rose - EOS New York
Moti can you share the invite link to the ECAF/BP channel?
Moti T | ECAF
https://t.me/joinchat/IIwbQBCcDhk5OV4pbSivTg
Guillaume - EOS Titan
https://eosflare.io/account/ecafofficial
Tristan Fairbairn
It can hardly be surprised to anyone that writing SC with arbitrary C++ leads to logic and security issues
Kedar Iyer - Everipedia - LibertyBlock
the bugs we've seen so far are basic logic errors. a better language wouldn't have helped the EOSBet hack
+1 on getting a good point of contact for Huobi who is dedicated to BP stuff
https://bloks.io/transaction/9a77411471514c9a5ad4add79839b7bbeee402e4b52f9113fb19c1c5ba50abbe
who is the best point of contact for Huobi for BP messages?
Denny Wu -HUOBI:
Wen Huaqiang is our CTO, but U can contact me as well
mini - EOS Argentina
@jestagram @any_x Denny Wu @therealstepd @marcantoineross @Ross_Cypherglass @JamesSutherland is there any chance that you guys could review and approve the proposal ?
https://eosauthority.com/approval/view?scope=argentinaeos&name=chngzhaoauth&lnc=en
Stéphane Duchesneau - EOS Canada
So, who is running 1.2.5 in production ?
Is there any known issue with this running as the block producing node ?
We have most of our prod nodes on 1.1.6 and a few p2p nodes on 1.2.5 and they seem to be performing well (~15% less RAM used, similar CPU usage...)
We should include a little "semver" version in bp.json or whatever, would make things clearer ;)
we could list:
{"bp": "1.1.6-dirty", "p2p": ["1.2.5-dirty",1.1.6-dirty"]} or something, and give us a better view of version adoption!
Zhao Yu@ EOSLaoMao.com
that means we have to update producer json a little bit too often…
producerjson contract could do a plugin for nodeos
btw, we are planning to build a blacklist plugin for theblacklist contract
so that you dont need to submit your blacklist hash mannually every time you update blacklist config
mini - EOS Argentina
actor-blacklist = blacklistmee
actor-blacklist = ge2dmmrqgene
actor-blacklist = gu2timbsguge
actor-blacklist = ge4tsmzvgege
actor-blacklist = gezdonzygage
actor-blacklist = ha4tkobrgqge
actor-blacklist = ha4tamjtguge
actor-blacklist = gq4dkmzzhege
actor-blacklist = g44dsojygyge
actor-blacklist = haydqnbtgene
actor-blacklist = gq4demryhage
actor-blacklist = ktl2qk5h4bor
actor-blacklist = q4dfv32fxfkx
actor-blacklist = haytanjtgige
actor-blacklist = exchangegdax
actor-blacklist = cmod44jlp14k
actor-blacklist = 2fxfvlvkil4e
actor-blacklist = yxbdknr3hcxt
actor-blacklist = yqjltendhyjp
actor-blacklist = pm241porzybu
actor-blacklist = xkc2gnxfiswe
actor-blacklist = ic433gs42nky
actor-blacklist = fueaji11lhzg
actor-blacklist = w1ewnn4xufob
actor-blacklist = ugunxsrux2a3
actor-blacklist = gz3q24tq3r21
actor-blacklist = u5rlltjtjoeo
actor-blacklist = k5thoceysinj
actor-blacklist = ebhck31fnxbi
actor-blacklist = pvxbvdkces1x
actor-blacklist = oucjrjjvkrom
actor-blacklist = guzdonzugmge
actor-blacklist = gu2teobyg4ge
actor-blacklist = gu4damztgyge
actor-blacklist = ha4doojzgyge
actor-blacklist = neverlandwal
actor-blacklist = tseol5n52kmo
actor-blacklist = potus1111111
actor-blacklist = craigspys211
actor-blacklist = eosfomoplay1
actor-blacklist = wangfuhuahua
actor-blacklist = ha4timrzguge
actor-blacklist = guytqmbuhege
actor-blacklist = huobldeposit
Eugene Luzgin - EOS Tribe
I was playing with Splunk while I was on trial period but then got a quote from Splunk company.
This is a cheapest option.
Just sharing in case anyone thinks about Splunk..
Great product, used it at ecommerce companies - too pricy for startups though.
Alexandre Bourget - EOS Canada
EOS Canada's stance on the chngzhaoauth proposal and blacklisted accounts leaking transactions
- After the successful approval of a similar proposal on Kylin, we feel it is not necessary to sign chngzhaoauth for these reasons:
This proves the point that eosio.sudo is useful and/or that it's not more or less of a threat than the currently proposed transaction, just that it is a lot cleaner to use eosio.sudo (although I find Mallmann very neat and clever)
This transaction will be of high visibility but will be very obscure to inspect by the public (it requires assumptions about the contents of raw actions, and does not store a future-proof ABI on eosio.prods, which is a contracts development best practice, and ensures sanity of introspection).
We want to strongly propose eosio.sudo as a better solution for freezing accounts (and other maintenance ops): a sudo-wrapped transaction that changes the authority of an account, and potentially keeps in that same transaction, traces of the previous authority of the account, in order to do a reversal in the future, when things settle down.
3.1. This, as everything in our DPoS chain, requires 2/3+1. I think proposing 21/21 makes no sense whatsoever, because it gives veto power to block things, which is contrary to of DPoS, and has no implementation.
Stéphane Duchesneau - EOS Canada
PR open for preventing encoding issues and stuff: https://github.com/EOSLaoMao/theBlacklist/pull/11
There is no issue with any proposal not passing as long as teams took time to review and decide.
Perfectly healthy and I hope to see many more proposals both fail and pass.
EOS Canada gave a good summary of the reasons why , this is all learning for everyone.
Thanks also to both the proposer and the teams who pushed through testnet Validation etc.
I upvoted your post.
Mabuhay, keep steeming.
@Filipino
Posted using https://Steeming.com condenser site.