Security company: vigilant wavefield dapp may become a new target for hackers

Wavefield DApp tronbank was attacked by a counterfeit currency at 1 am on April 11. On the morning of the 11th, the Beosin Chengdu Chain Security technical team made a preliminary analysis to determine that the main reason for the counterfeit currency attack was that the contract did not strictly verify the unique identifier token ID of the token, and incorrectly identified the attacker’s own valueless token as The BTT token worth 850,000 yuan caused losses. According to the analysis of the technical team, there are two reasons for the above problems: 1) The developer has insufficient research on the use mechanism of the wave field token, and may apply the method of using the tokens of Ethereum; 2) The attacker is migrating other public The attack methods that exist on the chain, such as the counterfeit currency attack method that EOS already exists. Fixing suggestions: The project party should judge whether msg.tokenvalue and msg.tokenid meet the expectations at the same time. And give the vulnerability code repair method, as follows: Invest function to increase the code: require (msg.tokenid == 1002000); require (msg.tokenvalue >= minimum); minimum is the minimum investment amount.