Title: Re-entrancy Vulnerablility · Issue #3 · EthereumOpenSubscriptions/reference-client · GitHub
Open Graph Title: Re-entrancy Vulnerablility · Issue #3 · EthereumOpenSubscriptions/reference-client
X Title: Re-entrancy Vulnerablility · Issue #3 · EthereumOpenSubscriptions/reference-client
Description: Credit to Liam Zebedee for finding this bug The following if from Liam's email notifying us of the vulnerability: Exploit mechanism: Re-entrancy attacks If the ERC20.transferFrom call is re-entrant, meaning it will maliciously call back ...
Open Graph Description: Credit to Liam Zebedee for finding this bug The following if from Liam's email notifying us of the vulnerability: Exploit mechanism: Re-entrancy attacks If the ERC20.transferFrom call is re-entrant...
X Description: Credit to Liam Zebedee for finding this bug The following if from Liam's email notifying us of the vulnerability: Exploit mechanism: Re-entrancy attacks If the ERC20.transferFrom call is re-ent...
Opengraph URL: https://github.com/EthereumOpenSubscriptions/reference-client/issues/3
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Re-entrancy Vulnerablility","articleBody":"Credit to Liam Zebedee for finding this bug\r\n\r\nThe following if from Liam's email notifying us of the vulnerability:\r\n\r\n```\r\nExploit mechanism: Re-entrancy attacks\r\n\r\nIf the ERC20.transferFrom call is re-entrant, meaning it will maliciously call back into the Subscription, it is possible to exploit some facts:\r\n\r\n//increment the timestamp by the period so it wont be valid until then\r\n nextValidTimestamp[subscriptionHash] = block.timestamp.add(periodSeconds);\r\n\r\nThis is executed before transferFrom - so a malicious actor (who specifically has engineered their own proxy contract to with a valid nonce/sig for re-entrant calls) can effectively extend their subscription period by periodSeconds every call. Infinite Netflix anyone?\r\n```\r\n","author":{"url":"https://github.com/captnseagraves","@type":"Person","name":"captnseagraves"},"datePublished":"2018-10-23T19:45:48.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/3/reference-client/issues/3"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:dd695dd0-2cc4-bdf4-81f1-63c47b746850 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | AAF8:1A0CEA:759F36:9EFE9D:6A4C80F3 |
| html-safe-nonce | 9a9c027d7637fca804e54fd11dd19f7f43314b44f0e038a865ab0a95cba7c9ea |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBQUY4OjFBMENFQTo3NTlGMzY6OUVGRTlEOjZBNEM4MEYzIiwidmlzaXRvcl9pZCI6IjQxNjQ1MTUzMTEyMDkxODU1MjMiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 5a9cf54af26cdc8ca63db1c12ebdff946c2baa0d21c1c5bf6df0b5e2165e98a6 |
| hovercard-subject-tag | issue:373169785 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/EthereumOpenSubscriptions/reference-client/3/issue_layout |
| twitter:image | https://opengraph.githubassets.com/c26f4f13190984835ac5936fd6dd9a84e845333693700669c0fa19066b4b536a/EthereumOpenSubscriptions/reference-client/issues/3 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/c26f4f13190984835ac5936fd6dd9a84e845333693700669c0fa19066b4b536a/EthereumOpenSubscriptions/reference-client/issues/3 |
| og:image:alt | Credit to Liam Zebedee for finding this bug The following if from Liam's email notifying us of the vulnerability: Exploit mechanism: Re-entrancy attacks If the ERC20.transferFrom call is re-entrant... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | captnseagraves |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/EthereumOpenSubscriptions/reference-client git https://github.com/EthereumOpenSubscriptions/reference-client.git |
| octolytics-dimension-user_id | 40276396 |
| octolytics-dimension-user_login | EthereumOpenSubscriptions |
| octolytics-dimension-repository_id | 145173436 |
| octolytics-dimension-repository_nwo | EthereumOpenSubscriptions/reference-client |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 145173436 |
| octolytics-dimension-repository_network_root_nwo | EthereumOpenSubscriptions/reference-client |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | cd470457e909b9d062f8002cf438ba870e6acff6 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width