“Huge vulnerabilities” in EOS network already fixed. Mainnet goes as planned

May 29, 2018

Yesterday, a Chinese security giant Qihoo 360 discovered a series of vulnerabilities in EOS blockchain platform. These news came just days before the upcoming EOS mainnet launch which was scheduled for June 2, 2018. Naturally, questions immediately arose about EOS’ ability to deliver a safe and functional blockchain.

Quihoo 360’s Vulcan team has been known for discovering and publishing similar security vulnerabilities in various blockchain projects. They published a post on Weibo (Chinese versoin of Twitter) on May 28^th which detailed a number of high-risk security vulnerabilities in the EOS mainnet. These vulnerabilities allowed external malicious players to remotely execute arbitrary code on native EOS nodes. In short, these vulnerabilities allowed remote attackers to take control of all the nodes running on EOS.

The Weibo post goes into detail about what has been officially named an EOS SuperNode Attack:

“In an attack, an attacker constructs and publishes a smart contract containing malicious code. The EOS super node will execute this malicious contract and trigger a security hole. The attacker then re-uses the super node to package the malicious contract into a new block, which in turn causes all full nodes in the network (alternate super node, exchange reload point, digital currency wallet server node, etc.) to be controlled remotely.”

They continue by saying: “Since the system of the node is completely controlled, the attacker can “do whatever it wants”, such as stealing the key of the EOS super node, controlling the virtual currency transaction of the EOS network; acquiring other financial and privacy data in the EOS network participating node system, such as an exchange Digital currency, the user’s key stored in the wallet, key user profiles, privacy data, and more. What’s more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber-attack or become a free “miner” and dig up other digital currencies.“

These vulnerabilities are indeed a massive loophole which could have serious consequences if someone found a way to exploit them. An attacker could ultimately inject malicious code into every node on the network, effectively putting the entire EOS blockchain under his control. This would expose every EOS users financial and privacy data.

The 360 team announced that such vulnerabilities could lead to a series of unprecedented security risks. As their final word, they appealed to EOS developers and developers of other similar projects in the cryptosphere to look into these issues and patch them. In response, the people in charge of the EOS network said that the mainnet will not be officially launched until these issues are fixed.

The reactions from the internet have been all but favorable. A Redditor InconsiderateTlingit had a selected choice of words to comment on the news and said:

“Holy shit. That’s some fucking huge vulnerabilities!”

In the most recent update to the topic, Jinse reported that the panic might have been somewhat overblown, as EOS team seems to have already fixed the issue. 360 team have apparently contacted the EOS team directly and worked with them to fix the problem as quickly as possible. The issue was reported around 10pm on the 28^th of May; the repairs have been completed around 2am on 29^th. Even Dan Larimer himself confirmed the fix.

The Jinse report claims that 360 may have even overreacted and overhyped the loopholes by publishing its report in a rather sensational way. They claim that the report was probably issued that way to gain popularity through clickbait and sensationalism. The implication here is that the issue was minor and could have been solved without the public fanfare which could discredit the project. A reddit user gungho1310 seems to agree by saying:

“It’s now evident to me that there are going to be targeted and sustained attacks from the usual suspects in the Reddit community to discredit EOS in the build up to launch. I have invested a lot of time into this project and so have a lot of confidence (I.e read : strong hands). However this will no doubt get to those who are susceptible to such stories and cause them to panic sell.”

They also claim that such an issue was expected to be found, as the rapid development of the blockchain industry is bound to come with some growing pains in terms of loopholes in security. TNGSystems from reddit has an issue with this, saying:

“Does anybody not see that as worrying? I’m playing devils advocate here, but if you had money in a bank and, say, HSBC said “We fixed a security vulnerability but there are probably more – this is normal for our bank” would you not be worried?”

The coins price took a bit of a dive once the news popped up, dropping around 1200 satoshi to just above 15k sats. Once the news broke that the issue has been resolved, the price stabilized and continued to steadily climb. The negative sentiment seems to have passed, as reddit user loginine says:

God save those who panic sold.”

Ultimately the EOS mainnet hasn’t been cancelled and will go through as planned. We just have to wait and see if any more similar developments will occur by or after June 2^nd.