EOS Looks For a Smart Contract Solution While RAM Exploit Harms Users
The EOS community is currently being plagued by an exploit on its smart contract that can be used by malicious individuals to contract authors and consume their network resources. Because of this, the company is currently on the lookout to discover a way to fix this bug as quickly as possible.
EOS Smart Contracts Are Being Used To Steal RAM
As part of an effort to avoid spam and the clogging of the network, users have to buy RAM to use the EOS network and deploy smart contracts or run decentralized applications (dapps).
As a group of developers has recently found out, some attackers are using a bug to create malicious smart contracts that exploit the scripting language of the EOS to allow one contract to notify other contracts of specific events.
This way, the hackers use malicious contracts to fill other users’ RAM with unusable data and freeze their RAM, stealing it from them. The exploit can affect smart contracts and users, but they are only at risk of being affected by the problem if they transfer tokens to the malicious contracts.
The Search For A Solution
As this creates a big threat for the blockchain, Dan Larimer, CTO of EOS and the creator of Block.one, has addressed the matter recently. According to him, this is not necessarily a bug, but an abuse of a valid feature, an act of “vandalism” in his words.
The exploit, he explains, takes advantage of a mismatch between the intent of the users and how the code was originally made to be used for. A solution that he talked about was to use the EOS authority of the block producers to blacklist some contracts and only allow the transactions after the affected users passed an arbitration process.
While there is not a defined solution for the problem, the EOS development team is already creating some ways to bypass the problem. The EOSEssentials team has been working on a somewhat complex but effective way of not letting the users lose their RAM: proxy tokens.
By using a proxy account that does not hold RAM, a user can be protected from the bug because it will not consume his actual RAM. This account, named safe transfer, will be coded on the transfers and will appear in the transaction. For instance, you can send tokens safetransfers and then use the account name.
The proxy method is working at the time of this report and it is at least a way to circumvent the problem for now. However, it should be noted that the proxy account cannot be used on decentralized apps, which will probably not be a big problem since almost no one is using EOS apps right now.