The developers of one of the top-traded cryptocurrencies, EOS, say they’ve patched a critical vulnerability that reportedly could have compromised EOS’s entire forthcoming platform.
Chinese security company Qihoo 360 said in a Tuesday blog post that its researchers discovered an “epic” vulnerability in the EOS platform that could allow someone to manipulate all transactions.
In a technical write-up, security researchers with Qihoo 360 explained that a hacker would have been able to upload a smart contract with malicious code onto the EOS mainnet and take over a node. Smart contracts are a feature of blockchain and cryptocurrencies that allow for transactions without middlemen.
Once the malicious code takes control of a relevant server, an “attacker could then pack the malicious contract into new block (sic) and further control all nodes of the EOS network.”
Qihoo 360 warns that because of the distributed nature of blockchain technology, compromising one node can put the whole system at risk. In the vulnerability Qihoo 360 reported, attackers could steal private keys to cryptowallets, control transactions, view private data and hijack EOS nodes to cryptopmine or conduct a denial of service attack.
“Due to the decentralized computing architecture, a security hole in a single blockchain node can compromise the whole network,” the researchers wrote.
While EOS hasn’t actually launched its mainnet yet, it’s already been distributing tokens on the Ethereum blockchain for sale and trade. The EOS mainnet is scheduled for launch on June 1.
Lattimer appeared to downplay the severity of the flaw discovered by Qihoo in a series of messages posted Tuesday to Twitter.
— rektkid (@rektkid_) May 29, 2018
In addition, Larimer tweeted out a bug bounty on Monday, offering $10,000 for information about any other unique software flaws that “cause a crash, privilege escalation, or non-deterministic behavior in smart contracts” before the EOS platform launches.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018
According to cyberthreat intelligence firm GreyNoise, as of Tuesday midday, hackers had already begun to scan the internet, looking for accidentally exposed EOS blockchain nodes. It appears that the scanning started shortly after Qihoo 360’s research was first publicly published, but the two events are likely unrelated, according to BleepingComputer.
If you run an @EOS_io node, be aware of an actor at 185[.]169[.]231[.]209 sweeping the Internet for unauthenticated EOS RPC daemons on TCP/8888, specifically the /v1/wallet/list_keys endpoint.
— GreyNoise Intelligence (@GreyNoiseIO) May 29, 2018