After the security incident of March 2023, core Hedera engineers conducted a thorough analysis of the Smart Contract Service and the Hedera Token Service system contracts. No new vulnerabilities were found, but the team looked for any behavioral differences between Hedera Token Service system contract APIs and those of Ethereum Virtual Machine (EVM) or ERC token APIs that could be used maliciously. To eliminate any possibility of such differences being used as attack vectors in the future, the consensus node software will align the behaviors of the Hedera Smart Contract Service and HTS system contracts with those of EVM and typical token APIs such as ERC 20 and ERC 721.
Developers are strongly encouraged to test their applications with new contracts and UX using the new security model to avoid unintended consequences.
The security update involves changes to entity permissions during contract executions when modifying state. In short, system contract calls (smart contract calls to the Hedera Token Service) are no longer executed with all upper caller privileges even if the authorized user provides a signature.
Below are some of the key functions impacted with the model update:
ContractId