Security News > 2021 > August > Skimming the CREAM – recursive withdrawals loot $13M in cryptocash
Apparently, the company has rushed out a brand new security system for its cryptocurrency storage, and is now telling customers to "Rest assured, [] our state-of-the-art technology ensures assets remain secure at all times. [] Your assets are safe with us and will always be."
Imagine if you have smart contract code that allows the other party to check that they have at least $X in their account; then to call smart contract code from their side of the deal to process $X; then to deduct that $X from their account.
Don't worry if you aren't a programmer, because the overall misbehaviour should be clear: you're accepting function calls to a smart contract called company.
If you trace the program flow with your finger, you will see that if the customer correctly authenticates their account, and has at least 1000 units of credit available to pass the initial balance check, then if they trigger a transaction by issuing a call company.
Contract(1000) // So there is apparently still 1000 to spend 0008: // And we get to spend our first 1000 again 0009: call company.
Contract); // Again re-enter withdraw() at the top 000A: call company.