Security firm discovers “epic” vulnerabilities in EOS
The vulnerability was promptly fixed. But wow.
Chinese cybersecurity firm 360 Vulcan has reportedly found major security issues in EOS just days before its mainnet launch, it said on Weibo. It reported the issues to the EOS team who said they would not launch the mainnet until they repaired the security holes. This was supposedly completed on 29 March.
On the one hand, the problems were apparently promptly solved, highlighting one of the major benefits of EOS; its ability to make significant programming changes without a slow and complicated hard fork. It was also found as part of EOS's bug bounty program, which is exactly when one expects to find these kinds of issues. At the same time, the original source of this information is 360 Vulcan, which naturally has a vested interest in playing up the scope of the problem.
On the other hand, 360 Vulcan described the vulnerabilities as "epic" in scale, and by the looks of it, that might be an understatement.
What an "epic" vulnerability looks like
If the reports are true, the exploit is basically a more complicated and high-stakes version of a malicious email.
It apparently involved sending a smart contract with malicious code to the EOS supernode. The node would then execute it and open up a hole for the attacker to access. With access to the supernode, the attacker can then pack the same malicious code into a new block and send it around to all the other network nodes, which would similarly execute it and allow the attacker access.
Now they have complete and utter control of the entire EOS network.
They can steal the supernode keys, double spend at will and pull out any private data they want from the network, including accessing users' private keys, profiles and everything else. They could also turn the nodes into a botnet to better attack other networks and mine other cryptocurrencies.
The background issue
The problem has been fixed, but the sheer scale of the vulnerability is quite terrifying, especially this close to the mainnet launch. Although bugs are expected in all systems, for example, there are thousands of dangerously broken Ethereum smart contracts on its network, this bug is much bigger.
The main difference might be that none of those smart contracts are "load bearing," unlike the EOS supernode.
One of the main points of decentralisation is to avoid having a single point of failure for exactly this kind of reason. This gives credence to the common criticism that EOS is too centralised, and that it's not worth sacrificing decentralisation for speed and scalability. On the other hand, a network that can't scale isn't really suitable for mass adoption, so maybe it's a necessary sacrifice.
It might go to show that despite being just one so-called "Ethereum killer" among many, EOS is breaking new ground with a fresh take on the speed/security/decentralisation trilemma.
The discovery of this vulnerability is probably why EOS's prices fell even further than Ether's despite the former dumping a whole load of the latter on the spot market earlier today.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and NANO.