Critical Vulnerabilities Exposed in EOS Blockchain – Could Delay June 2nd Mainnet Launch

Critical Vulnerabilities Spotted in EOS Blockchain 

Qihoo 360 – an cybersecurity firm based in China – has uncovered a number of vulnerabilities on the EOS blockchain. Potentially, these vulnerabilities could make EOS nodes susceptible to attacks from remote entities, according to a report published by Qihoo 360.  In the report released on Tuesday May 29th, the internet security company states that EOS developers have been informed and that the EOS mainnet might not go live, unless these vulnerabilities are removed.  

Per Chinese news media company Jinse, the EOS team requested that these vulnerabilities not be disclosed to the public while also claiming that the vulnerabilities had been removed. Qihoo 360’s report published on the Chinese Weibo news website claimed that an attacker could potentially write code within Smart Contracts, which would allow access to a supernode on the the EOS network. The code, per the report, could be easily entered into a new block on the EOS blockchain. After which, the bad actor could gain control of all nodes on the blockchain.

EOS Technical Vulnerability  

Easy Access to Users’ Private Keys on EOS Blockchain

After being able to control all nodes on the EOS blockchain, the attacker would also gain access to users’ data since he would have access to their private keys. Additionally, the bad actor would control all the cryptocurrency on the EOS blockchain. He/she could even begin to mine other cryptocurrencies on the EOS network.  

Per the Qihoo 360 team, these vulnerabilities pose “unprecedented security risks.” As noted by the company’s researchers: 

“the discovery and disclosure of this loophole will cause the blockchain industry and security peers to pay more attention to the security of such issues and jointly enhance the security of the blockchain network.”

EOS Might Be Easily Hacked

As most crypto platforms are, EOS is open-source so anyone can view its source code. Its smart contract based network is often referred to as “Blockchain 3.0”. The stated goal by its developers is to enable computer programmers to create dApps (decentralized/distributed applications) on its blockchain, similar to TRON and Ethereum

Also worth noting: the vulnerability is a buffer out-of-bounds write problem which is present in the functions called by EOS nodes in order to process smart contracts. Here’s a timeline, which reports the vulnerabilities, put together by Yuki Chen from Qihoo 360 and Zhiniang Peng:

–> EOS Out-of-bound Write Vulnerability

      – Detected May 11th, 2018 

–>  Full Exploit Demo of Compromise EOS Super Node

     – Completed:             May 28th, 2018

     – Reported to EOS: May 28th, 2018

–> EOS Fixes Vulnerability, But Fixing NOT Complete 

     – Reported: May 29th, 2018 


EOS Vulnerabilities Exposed