Inside money, markets, and big tech

EOS user exploits ‘dumb’ smart contract to make 1B tokens magically appear

... but then devs secretly took them back

Warning! There is a strong chance this will give readers a sense of déjà vu.

Another EOS EOS decentralized app (dApp) has severely botched an airdrop. This time, fledging gambling platform Se7ens is in the spotlight, after a community member managed to credit himself with a billion tokens by exploiting its poorly made smart contract.

Se7ens, an EOS-powered dice game, announced it would be distributing exactly half of its seven billion token supply to EOS holders. Developers were meant to send 10,000 tokens to each participating account, but instead were forced into sending so much more.

Below, we can see Se7en’s smart contract ‘mistakenly’ credit an EOS account with one billion SEVEN tokens. Shortly after, the tokens mysteriously disappeared.

“After I published [what happened] on Reddit, [SE7EN] silently cut my balance to 100,000 tokens and called it a bug bounty,” the account holder wrote. “I didn’t even receive any transaction in my history, and the tokens have magically disappeared. So, the team assigns themselves a freedom to modify user balances at will. I wonder how they plan to be listed on an exchange with such treatment of their assets.”

Problems arose when the user noticed developers failed to build Se7en’s smart contract correctly. Strangely, they did not use the standard, pre-built EOS functions made specifically for sending tokens – “issue,” and “transfer.”

This meant cryptocurrency suddenly appeared in user accounts, rather than being transferred over the blockchain. There is no trace of the transactions being confirmed by the network.

To make matters worse, devs did not add any checks to ensure the amounts sent by its airdrop were correct. This is the security flaw that allowed the user to instantly credit himself with 100,000 times the intended amount.

This isn’t even the first time EOS dApp developers have screwed up an airdrop.

Truly, small-time cryptocurrency platform Trybe recently drew community ire after it suddenly accessed user accounts to retrieve tokens mistakenly sent by its smart contract-powered airdrop.

If you’re interested in everything blockchain, chances are you’ll love Hard Fork Decentralized. Our blockchain and cryptocurrency event is coming up soon – join us to hear from experts about the industry’s future. Ticket sales are now open, check it out!

Published October 4, 2018 — 15:40 UTC