The way to avoid a fake token on TELOS network

Nowadays the keyword blockchain is becoming popular than ever. We have many applications from games to finance are on blockchain networks such as TELOS (which is built using EOSIO technology). And it has the token name which is called TLOS.
The problem is when you want to use the TLOS token as a payment method in your application. For example, you are developing a goods shop and you accept the user can use TLOS token for purchasing.
Once a beautiful day, the suspicious user made a smart contract on the TELOS network and created a token name is the same as the TLOS token.
Let’s go, they have seen the flaw in your logic. Of course, five minutes later they login to your app and do buy goods. After finishing shopping, they choose to payout with TLOS token.

#12345678
Your receipt details:
01 T-shirt     $500
02 Nike Jordan $300
--------------------
Total:         $800

Send goods to: 34 street, US.

You choose checkout by TLOS token, then you have to send us: 12.10 TLOS with memo 123456


All your goods will be delivered to you after the payment is done.
Thank you for shopping at our shop!
See you again!

Then the user will transfer 12.10 TLOS from their smart contract. Your app will check enough token which sent with that memo content. Finally, your shop will convey all goods to the user’s address on receipt. Finish!

Do you see the flaw?

You got a big flaw when you do not check the token is coming from TELOS smart contract. You only check token name, memo, and amount. That’s is a big mistake form your side. And the hacker can use it for stolen your goods. It’s easy!

Conclusion:
It is a general EOSIO problem. Therefore to avoid it, you should check the TLOS comes from which smart contract alongside other conditions before marking it is a valid transaction on your application.

Here is a simple code for listening and checking each time the TLOS token comes to your app:
(I am using the streaming API of spectrumeos.io)

const telosChecking = () => {
    const messageBody = {
        apikey: `${your-websocket-telos-api}`,
        event: 'subscribe',
        type: 'get_actions',
        data: {
            account: `${your-smart-contract-account}`, 
            actions: ['transfer']
        }
    }
    const socket = new WebSocket(`wss://api.telos.eostribe.io/streaming`)
  
    socket.onopen = () => {
        socket.send(JSON.stringify(messageBody))
    }

    socket.onmessage = (event) => {
        const transaction = JSON.parse(event.data)
        const { 
            receiver
        } = JSON.parse(transaction.action.receipt)
        const { 
            from, 
            to, 
            quantity, 
            memo 
        } = JSON.parse(transaction.action.act.data)

        if (receiver === 'eosio.token' && from !== `${Your-telos-account}` && to === `${Your-telos-account}`) {
            // Do something
        }   
    }
    socket.onclose = (event) => {
        console.log('Telos socket connection closed:', JSON.parse(event.code))
        setTimeout(() => {
            telosChecking()
        }, 1000)
        console.log('Reconnect to Telos socket:', JSON.parse(event.code))
    }
    socket.onerror = (error) => {
        console.log('Telos websocket got error: ', error.message)
    }
}

Thank you for reading!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s