EOS Aridrop gone wrong: SEVEN

se7ens.io is running a promotion campaign where the users can claim 10000 SEVEN tokens via a Scatter extension. They decided to run an “airgrab”, so that the users claim the tokens and pay for RAM from their accounts. Alright guys, you saved $10000, but…

But it went totally wrong, in many different aspects:

• The smart contract of xxxsevensxxx is an extension of a standard eosio.token contract. They added a new method, “signup”, which takes the desired amount of SEVEN tokens, and just gives the tokens to the user, without leaving any action trace. So, the tokens appear magically on your account, without issue or transfer actions.
• Also they forgot to verify the amount (why is there the amount at all?) in their signup method, so I managed to claim 1 billion of their tokens.
• After I published the above post on Reddit, they silently cut my balance to 100000 tokens and called it a bug bounty. I didn’t even receive any transaction in my history, and the tokens have magically disappeared. So, the team assigns themselves a freedom to modify user balances at will. I wonder how they plan to be listed on an exchange with such treatment of their assets.

How a proper airdrop should be done

1. Copy the standard eosio.token contract and only modify it if really necessary. The only thing that the standard contract is missing, is freezing the tokens if you want to prohibit the transfers until a specific date. In other cases, just take the compiled WASM code of the standard contract and upload it to your token account.
2. Assign permissions to execute create and issue methods to your treasury account.
3. Make the token contract immutable: set the owner and active permissions to eosio account and remove your public keys.
4. Test everything in a testnet before applying in live network.
5. Transfer the whole amount of airdrop tokens to a separate account dedicated to the airdrop, and distribute them from there.

If you really need to save on RAM, there are some good examples of airgrab contracts on Github, but such thing needs a thorough audit and testing before going live. The rest of the above recommendations applies: the contract needs to be immutable, and most of the funds should be controlled by a highly secure treasury account.