A few days away from the EOS migration to its MainNet, the Chinese company Qihoo 360 Security Center, announced on Weibo (Chinese social network) and on its official blog, the discovery of important vulnerabilities in the EOS Blockchain.
One of these vulnerabilities allows arbitraty code execution remotely on any EOS node, which would leave the platform exposed to direct manipulations of the entire network.
The discovery of these errors has come only a few hours after Dan Larimer (Creator of EOS) offered a reward to those who helped him find flaws in the EOS network before its launch on June 1.
“Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One,” stated Dan on his Twitter account.
After the discovery of the vulnerability, the Qihoo 360 team contacted the EOS team in the morning on the 29th, to inform and help repair the problems detected.
“The representative of EOS says: EOS will not go online unless these issues are fixed”
EOS SuperNode attack
“Attackers craft and release smart contract containing malicious code. EOS BP(block producer) will executes the malicious contract that compromise the BP. Attackers then abuse the BP to pack malicious contract into new block, which in turn causes that all the complete nodes of the network (alternative supernode, exchange recharge point, digital coin wallet server node, etc.) are controlled remotely.”
Explained the Qihoo team
With this attack they could have total control of all the nodes of the system and be able to manipulate it at will, controlling EOS currency transactions, access to private data networks, privacy data, user profiles, etc.
“Attackers can even turn the nodes within the EOS system to Botnet members, commanding them to form DDoS attack or mining for attackers’ sake”, they added.
The security errors found in the platform could produce a series of unprecedented risks and the security company hopes that this discovery will serve to improve the Blockchain network and that development teams pay more attention to security so that this does not happen again.
