Get the Finder app 🥳

Track your credit score, free

Free

Security firm discovers “epic” vulnerabilities in EOS

Posted: 29 May 2018 6:21 pm
News

The vulnerability was promptly fixed. But wow.

Chinese cybersecurity firm 360 Vulcan has reportedly found major security issues in EOS just days before its mainnet launch, it said on Weibo. It reported the issues to the EOS team who said they would not launch the mainnet until they repaired the security holes. This was supposedly completed on 29 March.

On the one hand, the problems were apparently promptly solved, highlighting one of the major benefits of EOS; its ability to make significant programming changes without a slow and complicated hard fork. It was also found as part of EOS's bug bounty program, which is exactly when one expects to find these kinds of issues. At the same time, the original source of this information is 360 Vulcan, which naturally has a vested interest in playing up the scope of the problem.

On the other hand, 360 Vulcan described the vulnerabilities as "epic" in scale, and by the looks of it, that might be an understatement.



What an "epic" vulnerability looks like

If the reports are true, the exploit is basically a more complicated and high-stakes version of a malicious email.

It apparently involved sending a smart contract with malicious code to the EOS supernode. The node would then execute it and open up a hole for the attacker to access. With access to the supernode, the attacker can then pack the same malicious code into a new block and send it around to all the other network nodes, which would similarly execute it and allow the attacker access.

Now they have complete and utter control of the entire EOS network.

They can steal the supernode keys, double spend at will and pull out any private data they want from the network, including accessing users' private keys, profiles and everything else. They could also turn the nodes into a botnet to better attack other networks and mine other cryptocurrencies.

The background issue

The problem has been fixed, but the sheer scale of the vulnerability is quite terrifying, especially this close to the mainnet launch. Although bugs are expected in all systems, for example, there are thousands of dangerously broken Ethereum smart contracts on its network, this bug is much bigger.

The main difference might be that none of those smart contracts are "load bearing," unlike the EOS supernode.

One of the main points of decentralisation is to avoid having a single point of failure for exactly this kind of reason. This gives credence to the common criticism that EOS is too centralised, and that it's not worth sacrificing decentralisation for speed and scalability. On the other hand, a network that can't scale isn't really suitable for mass adoption, so maybe it's a necessary sacrifice.

It might go to show that despite being just one so-called "Ethereum killer" among many, EOS is breaking new ground with a fresh take on the speed/security/decentralisation trilemma.

The discovery of this vulnerability is probably why EOS's prices fell even further than Ether's despite the former dumping a whole load of the latter on the spot market earlier today.


Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and NANO.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site