29.04.2018 13:17:00
|
An EOS.CYBEX-Incubated Tech Firm--LianAn Found EOS Smart Contract Also Subject to Overflow Vulnerability
SINGAPORE, April 29, 2018 /PRNewswire/ -- EOS.CYBEX is committed to building a safer EOS community, which has underpinned its supernode campaign strategy. Apart from researching an EOS-bespoke hardware cold wallet, EOS.CYBEX also pools cutting-edge industry resources and incubates entities that are highly potential to contribute to the perfection of EOS ecosystem. Recently, EOS.CYBEX's endeavor enjoyed an important harvest.
According to Chengdu LianAn (Chain Security) Technology Co., Ltd. ("LianAn Tech" below), its research product, VaaS (Verification as a Service) Platform, has identified that if a smart contract developer is not careful, EOS blockchain altcoin contract also suffers similar integer overflow vulnerability that BEC altcoin smart contact has encountered.
In recent Beauty Chain/BEC coin (https://www.beauty.io/) incidence, security hole from one line of code resulted in 0 market cap. Due to smart contract writer's lack of experience, BEC smart contract batchTransfer function has an integer overflow security hole, which was exploited by hacker(s) to fabricate 57,896,044,618,658,100,000,000,000,000,000,000,000,000,000,000,000,000,000,000.792003956564819968 BEC coins.
Targeting this vulnerability, LianAn Tech conducted Integer overflow vulnerability detection and security verification on EOS blockchain smart contract using its VaaS formal verification platform. It found that smart contracts on EOS blockchain are subject to similar integer overflow vulnerability. Below sample EOS smart contract illustrates this vulnerability. This sample implemented a one-to-many transfer smart contract core function "Transfer" as in fig. 1.
Checking above accounts after execution will reveal that sender account ("tester") balance is unchanged (100), receiver accounts (tester 1, tester 2, tester 3, tester 4) account balances are huge (2^63) due to amount overflow (Fig. 3).
Vulnerability Analysis: balance is uint64 type variable. When it is set to 2^63, because the value is less than max value of uint64, the overflow check on balance is passed. But when amount is assigned as balance*4, the overflow sets amount value to 0. Therefore, in this case amount has passed the test of minuend larger than subtrahend, then receivers' balance obtained a huge value while no decrease happens in sender's account.
So, LianAn Tech alerts developers working on EOS smart contract to pay serious attention to integer overflow and consequence that may follow. Developers should do boundary check on every step.
LianAn offers four solutions for such vulnerability issues:
EOS.CYBEX is an experienced team dedicated to EOS project incubation and community development, aiming at providing a myriad of one-stop services for all DAPP developers based on the EOS platform, including test chains readily accessible to developers, and sophisticated test tools and services.
LianAn Tech, which has forged an alliance with EOS.CYBEX community, will dedicate itself to build a safer EOS community via its VaaS platform.
You are welcome to visit our wechat subscription account below, or email us: vaas@lianantech.com
Contact EOS.CYBEX
Telegram Chinese Group:https://t.me/eoscybexcn
Telegram English Group:https://t.me/eoscybexen
Telegram Russian Group:https://t.me/eoscybexru
E-mail :service@eos.cybex.io
Facebook :https://www.facebook.com/Eos-Cybex-2101336689881770/
Twitter :https://twitter.com/EosCybex
Medium :https://medium.com/@eoscybex
Steemit :eos.cybex
View original content with multimedia:http://www.prnewswire.com/news-releases/an-eoscybex-incubated-tech-firmlianan-found-eos-smart-contract-also-subject-to-overflow-vulnerability-300638567.html
SOURCE CYBEX
Wenn Sie mehr über das Thema Aktien erfahren wollen, finden Sie in unserem Ratgeber viele interessante Artikel dazu!
Jetzt informieren!