Early warning: wavefield dapp may become a new target for hackers

Early warning: wavefield dapp may become a new target for hackers

Wavefield DApp tronbank was attacked by a counterfeit currency at 1 am on April 11. On the morning of the 11th, the Beosin Chengdu Chain Security technical team made a preliminary analysis to determine that the main reason for the counterfeit currency attack was that the contract did not strictly verify the unique identifier token ID of the token, and incorrectly identified the attacker’s own valueless token as The BTT token worth 850,000 yuan caused losses. When checking other open source project code on Github, I found that there are other project parties with this security issue: the following is the problematic contract address: TF3YXXXXXXXXXXXXXXXXXXXXXXXWt3hx; TKHNXXXXXXXXXXXXXXXXXXXXXXXAEzx5;

TK8NXXXXXXXXXXXXXXXXXXXXXXXZkQy;

TUvUXXXXXXXXXXXXXXXXXXXXXXXxLETV;

TG17XXXXXXXXXXXXXXXXXXXXXXXkQ9i.

According to the analysis of the Beosin Chengdu Chain Security technical team, there are two reasons for the above problems: 1) The developer's research on the use mechanism of the wave field token is insufficient, and the use of the tokens in Ethereum may be applied; 2) The attacker The attack mode that exists on other public links, such as the counterfeit currency attack mode that EOS already exists. Remedy: In this regard, the Beosin Chengdu Chain Security technical team suggested that the project side should simultaneously determine whether msg.tokenvalue and msg.tokenid meet expectations when receiving the replacement currency. And give the vulnerability code repair method, as follows: Invest function to increase the code; require (msg.tokenid == 1002000); require (msg.tokenvalue >= minimum); minimum is the minimum investment amount.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

Fed throws "king bomb", cuts interest rate to 0, community: opportunity for bitcoin is here

At 5:00 am on March 16th, Beijing time, the Fed announced another emergency rate cut, sending a "king bomb"...

Blockchain

Bear market signal? Bitcoin's 30-day volatility hit a two-and-a-half-year high, and the number of large transfers plummeted

The 30-day historical volatility of Bitcoin exceeded 100% for the first time, close to the historical peak at the end...

Blockchain

Big hair coin, the central bank panicked, bitcoin or become the biggest winner!

Facebook's issue of currency first sparked in the currency circle. With the spread of discussion, the central ba...

Blockchain

Video|"8"" domain name circle "Buffett" Dai Yue: not enough cognition, is to make leek

Dai Yue, the CEO of the real estate network, the domain name, is the most popular person with the 2 letter domain nam...

Blockchain

Canadian natural gas company turns waste gas into treasure, and Bitcoin Mining once again acts as the ultimate buyer of energy

According to a report by Bitcoinist on July 13, Canadian gas companies are now using a large amount of retained natur...

Blockchain

Event Review | Secret 19-year Bitcoin skyrocketing truth: Trump Twitter

event The most influential KOL of Digital Passage knows that it is Nakamoto Satoshi and V God, but they are already o...