Yesterday, a Chinese security giant Qihoo 360 discovered a series of vulnerabilities in EOS blockchain platform. These news came just days before the upcoming EOS mainnet launch which was scheduled for June 2, 2018. Naturally, questions immediately arose about EOS’ ability to deliver a safe and functional blockchain.
Quihoo 360’s Vulcan team has been known for discovering and publishing similar security vulnerabilities in various blockchain projects. They published a post on Weibo (Chinese versoin of Twitter) on May 28th which detailed a number of high-risk security vulnerabilities in the EOS mainnet. These vulnerabilities allowed external malicious players to remotely execute arbitrary code on native EOS nodes. In short, these vulnerabilities allowed remote attackers to take control of all the nodes running on EOS.
The Weibo post goes into detail about what has been officially named an EOS SuperNode Attack:
These vulnerabilities are indeed a massive loophole which could have serious consequences if someone found a way to exploit them. An attacker could ultimately inject malicious code into every node on the network, effectively putting the entire EOS blockchain under his control. This would expose every EOS users financial and privacy data.
The 360 team announced that such vulnerabilities could lead to a series of unprecedented security risks. As their final word, they appealed to EOS developers and developers of other similar projects in the cryptosphere to look into these issues and patch them. In response, the people in charge of the EOS network said that the mainnet will not be officially launched until these issues are fixed.
The reactions from the internet have been all but favorable. A Redditor InconsiderateTlingit had a selected choice of words to comment on the news and said:
“Holy shit. That’s some fucking huge vulnerabilities!”
In the most recent update to the topic, Jinse reported that the panic might have been somewhat overblown, as EOS team seems to have already fixed the issue. 360 team have apparently contacted the EOS team directly and worked with them to fix the problem as quickly as possible. The issue was reported around 10pm on the 28th of May; the repairs have been completed around 2am on 29th. Even Dan Larimer himself confirmed the fix.
The Jinse report claims that 360 may have even overreacted and overhyped the loopholes by publishing its report in a rather sensational way. They claim that the report was probably issued that way to gain popularity through clickbait and sensationalism. The implication here is that the issue was minor and could have been solved without the public fanfare which could discredit the project. A reddit user gungho1310 seems to agree by saying:
“It’s now evident to me that there are going to be targeted and sustained attacks from the usual suspects in the Reddit community to discredit EOS in the build up to launch. I have invested a lot of time into this project and so have a lot of confidence (I.e read : strong hands). However this will no doubt get to those who are susceptible to such stories and cause them to panic sell.”
They also claim that such an issue was expected to be found, as the rapid development of the blockchain industry is bound to come with some growing pains in terms of loopholes in security. TNGSystems from reddit has an issue with this, saying:
The coins price took a bit of a dive once the news popped up, dropping around 1200 satoshi to just above 15k sats. Once the news broke that the issue has been resolved, the price stabilized and continued to steadily climb. The negative sentiment seems to have passed, as reddit user loginine says:
God save those who panic sold.”
Ultimately the EOS mainnet hasn’t been cancelled and will go through as planned. We just have to wait and see if any more similar developments will occur by or after June 2nd.