humblefirm
commented
6 years ago I agree that
Closed bezalel closed 6 years ago
humblefirm
commented
6 years ago I agree that
Lucklyric
commented
6 years ago I also agree with that. I also would like to know is there any way can prevent this happens?
bezalel
commented
6 years ago To mitigate this issue, Dapp developers can voluntarily use multisig or set owner to eosio.prods (Dan's quick opinion to my private message)
Though Dapp devs can set their contract account to be owned by producers voluntarily to get trust from users, but that's not required(compelled). If setting "eos.prods" should be the best practice of Dapp contracts, then community should overwatch which contract is owned by producers or multisig-ed and which is not, and warn the risk of not-producer-owned contracts.
And, once the contract is owned by producers, the Dapp devs cannot do other neccessary transactions like selling unused ram(though ram can be bought by others), and so on, by themselves.
After reading 'setcode'-related source codes of EOSIO, I found that the contract code set to an account can be modified anytime if the owner of the contract account makes a new 'setcode' transaction. Before reading EOSIO source, I thought that deployed contract code could only be modified after getting the confirmation of block producers. (in the case of security bugs, I thought BPs freeze and upgrade a contract) If modification of contract code is possible anytime, I think malicious dapp developers or hackers can steal user's asset by suddenly modifying contract code. This will cause disasters and more powerful FUD to the EOS ecosystem.
Below are the possible cases of disaster caused by upgradable contract code,
Don't we need more security features for 'setcode' transaction?