The Exploit

The EOS group has been confronting issues with the RAM abuse issue.  A malicious user can install code on their account which will allow them to insert rows in the name of another account sending them tokens. This lets them steal RAM by inserting large amounts of garbage into rows when dapps/users send them tokens.

The Solution

But the team has come up with a solution. By sending tokens to a proxy account with no available RAM, and with a memo where the first word of the memo is the account you eventually want to send the tokens to, the only account they can assume database row permissions for is the proxy, which has no RAM.

For time being, till the bug is fixed, if users are sending tokens to people that they do not know, they can send them through safetransfer. They can do this by adding the account name as the memo

Using the New Update

The new contract accepts all token types that conform to the basic eosio.token contract. The only method that has to have an identical argument signature is the transfer method. You will need to set permissions onto your proxy contract to allow it to send tokens inline.

In the same way you are sending transfer to your users you simply change the memo to include the account name as the first word in the memo. This contract also carries along the rest of the memo after a space.

You can do this from a smart contract without using this intermediate proxy. “Inline transfer to proxy, then inline transfer from proxy. Proxy’s active would delegate to contract’s eosio.code The original contract would issue both transfers, but with a different auth.”

Reference – nsjames | Scatter

10 votes, average: 4.60 out of 510 votes, average: 4.60 out of 510 votes, average: 4.60 out of 510 votes, average: 4.60 out of 510 votes, average: 4.60 out of 5 (10 votes, average: 4.60 out of 5)
You need to be a registered member to rate this.
(550 total tokens earned)
Loading...

Responses