eos-token-distribution
eos-token-distribution copied to clipboard
EOSIO
Security Issue: EOS Distro sending wrong To Address in MetaMask
Dear Devs,
I have to report a issue here:
I transferred my claimed EOS Token to my MetaMask Wallet and it worked somehow. But it didn’t show up in the interface:
Here the transaction: https://etherscan.io/tx/0xbbe018932baac883e3284acdbd9b51b803709ab3fe284ba6cd3639826e22faf9
Then I clicked again on the Transfer EOS token button on the interface because my tokens showed up still. MetaMask did something I don’t understand and my tokens are gone now to the EOS Contract, because the interface did send the wrong infos to MetaMask
https://etherscan.io/tx/0x5af7b8dd0a7ee4b1c1206eafecfe71d9ba70f58306ad9746bef3f3b6be807529
It seems the bug sent the tokens to the contract now. If you look into the EOS Contract address you see that many people are tapping into this error at the moment.
You can easily re-test this when you are going into : 1)https://eos.io/distribution/ 2)Press transfer eos token (on an account which already transferred tokens back) 2.1) you can do this with an account which has claimed tokens and press transfer eos token then don't refresh the distro page and do it again 3)Enter your ether address and then metaMask opens with the TO address of the EOSContract and NOT your ether address 4) If your Token balances is 0 there is no real issue (still a bug) but if by my case the Distro interface still shows Token balance not 0 you transfer the tokens to the Contract.
Can you support here please.
Here a video demonstrating the behavior just without tokens. you see on transaction #5 in my wallet the correct transaction from bistro to my wallet and #6 the same one but with the bug which led to the transaction from my wallet to the EOSContract
This is correct, because EOS is only a ERC-20 token so all movement happens within the token contract
No this is not correct because the bug on the distro page is sending the contract address as TO address and not via address to metaMask. And then your tokens are sent directly TO the contract. Just look into the contract with etherscan and you see yourself. Test it with pressing on transfer funds several times on the distro page.
Am 04.01.2018 um 03:43 schrieb Winnie Hsu [email protected]:
This is correct, because EOS is only a ERC-20 token so all movement happens within the token contract
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
We have tried to reproduce this error in HK along with Sandwich and could not reproduce it. We analyzed the code and could not find any way that this could happen.
In the end, the conclusion was that there is a high probability that this was a Meta Mask error. We came to this conclusion because when trying to reproduce this issue, we encountered a different problem which was clearly down to Meta Mask not working properly (Meta Mask asked us to match the gas price on Ethgasstation.info, which proposed a gas price of 1 gwei, however the browser client asked for a higher gas price of 55 gwei, which is ridiculously high in comparison.
Currently there are over 550 issues reported in the Meta Mask Wiki, which led us to the final conclusion that Meta Mask might have been the reason for the above described issue.
