Meitu Blockchain Lab releases details of malicious EOS contract

According to IMEOS, a week ago, Meitu Blockchain Lab discovered a security vulnerability in which a malicious EOS contract could devour user RAM. The lab submitted the issue to EOSIO officials and fully communicated with the official team on the details of the vulnerability.

After a week of communication with the official team, the official team has fully understood the harm of the vulnerability and decided to select a suitable solution in the later stage to patch the code of this vulnerability. In order to avoid malicious attacks during this vacuum period, Meitu Blockchain Lab decided to publish the details of the vulnerability for community research reference to facilitate self-inspection and defense.

It is reported that EOS contracts can trigger calls to other contracts through require_recipient. Designing such a mechanism provides great convenience to contract developers, but it also brings new problems. When a user transfers money to a contract, the contract can consume the user's RAM without the user's knowledge.