Another EOS decentralized app (dApp) has severely botched an airdrop. This time, fledging gambling platform Se7ens is in the spotlight, after a community member managed to credit himself with a billion tokens by exploiting its poorly made smart contract.
Se7ens, an EOS-powered dice game, announced it would be distributing exactly half of its seven billion token supply to EOS holders. Developers were meant to send 10,000 tokens to each participating account, but instead were forced into sending so much more.
Below, we can see Se7en’s smart contract ‘mistakenly’ credit an EOS account with one billion SEVEN tokens. Shortly after, the tokens mysteriously disappeared.
“After I published [what happened] on Reddit, [SE7EN] silently cut my balance to 100,000 tokens and called it a bug bounty,” the account holder wrote. “I didn’t even receive any transaction in my history, and the tokens have magically disappeared. So, the team assigns themselves a freedom to modify user balances at will. I wonder how they plan to be listed on an exchange with such treatment of their assets.”
Problems arose when the user noticed developers failed to build Se7en’s smart contract correctly. Strangely, they did not use the standard, pre-built EOS functions made specifically for sending tokens – “issue,” and “transfer.”
This meant cryptocurrency suddenly appeared in user accounts, rather than being transferred over the blockchain. There is no trace of the transactions being confirmed by the network.
To make matters worse, devs did not add any checks to ensure the amounts sent by its airdrop were correct. This is the security flaw that allowed the user to instantly credit himself with 100,000 times the intended amount.
This isn’t even the first time EOS dApp developers have screwed up an airdrop.
Truly, small-time cryptocurrency platform Trybe recently drew community ire after it suddenly accessed user accounts to retrieve tokens mistakenly sent by its smart contract-powered airdrop.