EOS blockchain Vulnerability Found by Chinese Team – No need to panic
For those looking for an official source or whether this is fake news. This was posted by the official verified 360 Vulcan security team (Qihoo 360, huge chinese internet security company). Their profile: https://weibo.com/qihoo?is_hot=1
The actual post by that account on Weibo
Here is the google-translated version of the press release:
360 Discovery of blockchain epic vulnerabilities Full control over virtual currency transactions 360 Security Guardian Published on 2018-05-29 12:38:08 Reports Readings: 330,000+ EOS blockchain vulnerability is enough to decipher the digital system
Recently, the 360 Vulcan team discovered a series of high-risk security vulnerabilities in blockchain platform EOS. It has been verified that some of these vulnerabilities can remotely execute arbitrary code on the EOS node. That is, remote attacks can directly control and take over all nodes running on EOS.
The person in charge of the EOS network said that the EOS network will not be officially launched until these issues are fixed.
Defective digital blockchain vulnerability
Vulnerabilities in the traditional software domain may be exploited to initiate cyber attacks, causing data, privacy leaks, and even the impact of real life. The digital currency itself is a set of financial systems. The security loopholes in digital currency and blockchain networks tend to have more serious and direct impacts.
Due to the decentralized computing characteristics of blockchain networks. A security vulnerability in the implementation of a blockchain node may cause thousands of nodes to be attacked. Even a denial-of-service vulnerability that is considered to be relatively harmless in the area of traditional software vulnerabilities may trigger storm attacks on the entire network in a blockchain network, causing a huge impact on the entire digital currency system.
EOS SuperNode Attack: Fully Controlled Virtual Currency Trading
In an attack, an attacker constructs and publishes a smart contract containing malicious code. The EOS super node will execute this malicious contract and trigger a security hole. The attacker then re-uses the super node to package the malicious contract into a new block, which in turn causes all full nodes in the network (alternate super node, exchange reload point, digital currency wallet server node, etc.) to be controlled remotely.
Since the system of the node is completely controlled, the attacker can “do whatever it wants”, such as stealing the key of the EOS super node, controlling the virtual currency transaction of the EOS network; acquiring other financial and privacy data in the EOS network participating node system, such as an exchange Digital currency, the user’s key stored in the wallet, key user profiles, privacy data, and more.
What’s more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free “miner” and dig up other digital currencies.
Blockchain network security concerns need to be paid attention
EOS is a new blockchain platform known as “blockchain 3.0”. Currently, its market value of tokens is as high as 69 billion yuan, ranking fifth in global market capitalization.
In blockchain networks and digital currency systems, there are many attack surfaces for nodes, wallets, mining pools, exchanges, and smart contracts. The 360 security team has previously discovered and disclosed multiple digital currency nodes, wallets, and mines. Serious security holes in pools and smart contracts.
The series of new security vulnerabilities discovered by the 360 security team in the smart contract virtual machine on the EOS platform is a series of unprecedented security risks. Security researchers have not found such problems before. This type of security issue affects not only EOS but also other types of blockchain platforms and virtual currency applications.
360 expressed that it is hoped that the discovery and disclosure of this loophole will cause the blockchain industry and security peers to pay more attention and attention to the security of such issues and jointly enhance the security of the blockchain network.
1/ Chinese Internet security giant 360 has found "a series of epic vulnerabilities" in the #EOS platform. Some of the bugs allow arbitrary code to be executed remotely on EOS nodes and even taking full control of the nodes.
Source (in Chinese): https://t.co/pt6nj6EodP
— cnLedger [Not giving away ETH] (@cnLedger) May 29, 2018
I believe there is no need to panic at the moment. It is very fortunate that the bug was found before the mainnet launch. In my opinion it is always the best option to wait for an official response from block.one.
Apparently, according to Weibo, the bugs in the code for the EOS platform would allow an attacker to execute malicious code into an EOS super-node through a smart contract. This super-node will then package the malicious contract into the next block, and thus distribute it to the entire network.
With this vulnerability the attacker has full control of the EOS node.
There is still no official news from the EOS team. The EOS network still seems to be set to launch at Midnight on the 3nd of June. (GMT +1 Zurich)
There definitely was some panic selling in the market. However, most of the times it is still better to just wait it out.