Wavefield DApp tronbank was attacked by a counterfeit currency at 1 am on April 11. On the morning of the 11th, the Beosin Chengdu Chain Security technical team made a preliminary analysis to determine that the main reason for the counterfeit currency attack was that the contract did not strictly verify the unique identifier token ID of the token, and incorrectly identified the attacker’s own valueless token as The BTT token worth 850,000 yuan caused losses. When checking other open source project code on Github, I found that there are other project parties with this security issue: the following is the problematic contract address: TF3YXXXXXXXXXXXXXXXXXXXXXXXWt3hx; TKHNXXXXXXXXXXXXXXXXXXXXXXXAEzx5;
TK8NXXXXXXXXXXXXXXXXXXXXXXXZkQy;
- Is it true that the market value of cryptocurrency is a hero?
- 26 million TRX stolen behind the Rashomon - Episode 2
- The wave field cooperates with the Japanese government and promises not to push the gambling dApp to the country market.
- Fomo3D game wants to be attached to the wave field to resurrect with new tricks but still dangerous and unpredictable, losing more and earning less
- DAPP trend list: DAPP funds on the line three days to run
- Sun Yuchen: This time I can finally eat a big waist with the stock god.
TUvUXXXXXXXXXXXXXXXXXXXXXXXxLETV;
TG17XXXXXXXXXXXXXXXXXXXXXXXkQ9i.
According to the analysis of the Beosin Chengdu Chain Security technical team, there are two reasons for the above problems: 1) The developer's research on the use mechanism of the wave field token is insufficient, and the use of the tokens in Ethereum may be applied; 2) The attacker The attack mode that exists on other public links, such as the counterfeit currency attack mode that EOS already exists. Remedy: In this regard, the Beosin Chengdu Chain Security technical team suggested that the project side should simultaneously determine whether msg.tokenvalue and msg.tokenid meet expectations when receiving the replacement currency. And give the vulnerability code repair method, as follows: Invest function to increase the code; require (msg.tokenid == 1002000); require (msg.tokenvalue >= minimum); minimum is the minimum investment amount.
