Ana Sullivan

EOS Under Threat - Critical Bugs Found In Smart Contract Nodes

by Ana Sullivan May 30, 2018

EOS is the foundation to lead all tokens and many experts have predicted that it’s price is likely to go straight to the skies and be the BitCoin of tokens out there. The token is using Ethereum’s smart contract system, making it an ERC-20 type of token, but the team is actively working on making their project autonomous and independent. And while this happens, critical RCE bugs have been found in the Smart Contract System of EOS that can allow hackers to take complete control over the services that are responsible for the critical blockchain-based apps. This critical flow is now being fixed, but does it mean that EOS is not so secure as we thought or does it mean that there is a good teamwork towards making EOS very secure?

 

What Were the Vulnerabilities Found In EOS?

Since EOS is aimed at becoming the 3.0 version of Blockchain as we know it, allowing devs to create dapps over it’s infrastructure, similar to what Ethereum does, it is regarded by many as a very secure project. But just like Ethereum, EOS seems to be meeting it’s first bus,that were discovered by the Chinese researchers at Qihoo 460 – Yuki Chen and Zhiniang Peng’s Core security team. There have been several vulnerabilities found, but the main one is a buffer out-of-bonds bug, which is basically a bug that is in the nodes server, responsible for smart contract – a bottleneck on which the whole blockchain security is dependent.

 

The bug itself Is susceptible to hacker attacks, meaning that if you are a hacker and want to take control of a specific node you have set your sights at, you have to perform a remote code execution type of attack on it. To do this, the hackers have to upload what appears to be a malicious WASM file which is basically a smart contract, written in the WebAssembly language. This smart contract, uploaded on the targeted server is being automatically read and when this happens, the malicious payload is automatically triggered on the node. This activity results in the hacker being able to execute all types of commands on the node and collect transaction data in order to combine it into blocks. This means that the hacker can drain huge sums of token units from the network and track transaction information as well.

In addition to this, the researchers also raised alarms that the attackers can somehow also combine blocks to make them spread further to all nodes with similar payload or commands which could result over the complete control of all the EOS network nodes. And once they have this control, the attackers can do absolutely anything they want to do and this includes controlling transactions, acquiring other financial data and other permissions.

And not only this, but the researchers feel convinced that this vulnerability can also cause a lot of trouble for other blockchains as well, running similar network structure, since after all they all use the same ERC-20 type of source code.

In response to this, the EOS team has tweeted on their official Twitter page, the following:

 

"Media has incorrectly reported a potential delay in the release of EOSIO V1 due to software vulnerabilities. Our team has already fixed most and is hard at work with the remaining ones. EOSIO V1 is on schedule; please stay tuned to our EOSIO channels for official information."

Source: https://twitter.com/EOS_io/status/1001697690890194956

 

So while these types of vulnerabilities keep getting discovered out there, they do raise quite the interesting possibilities of what can occur in the future, given that trust is put into crypto. But they also show something else – commitment to make the future of financing and blockchain more safe and discoveries of bugs, like the ones found in EOS are, believe it or not, a good thing, because this is the best way to raise awareness when it comes to the cyber-security aspect of crypto – something that is often disregarded ever since the first bugs in BitCoin started surfacing.

Comments 0

Type the characters that you see in the box (5 characters).