[Breaking]: EOS Potential EOSIO RAM Exploit Hack Vulnerability Solution Issued, But Large Exchanges Still at Risk
EOS Releases Solution To Prevent RAM Exploits
The EOS team had been facing problems with the RAM exploit issue. A malicious user can install code on their account which will allow them to insert rows in the name of another account sending them tokens. This lets them steal RAM by inserting large amounts of garbage into rows when dapps/users send them tokens.
The team has finally come up with a solution. By sending tokens to a proxy account with no available RAM, and with a memo where the first word of the memo is the account you eventually want to send the tokens to, the only account they can assume database row permissions for is the proxy, which has no RAM.
For time being, till the bug is fixed, if users are sending tokens to people that they do not know, they can send them through safetransfer. They can do this by adding the account name as the memo
How to use the new update
The new contract accepts all token types that conform to the basic eosio.token contract. The only method that has to have an identical argument signature is the transfer method. You will need to set permissions onto your proxy contract to allow it to send tokens inline.
In the same way you are sending transfer to your users you simply change the memo to include the account name as the first word in the memo. This contract also carries along the rest of the memo after a space.
You can do this from a smart contract without using this intermediate proxy. “Inline transfer to proxy, then inline transfer from proxy. Proxy’s active would delegate to contract’s eosio.code The original contract would issue both transfers, but with a different auth.”
Be sure to keep up with the Reddit thread as more users add feedback and share the latest updates in an on going story.