Recently, the Qihoo 360 team discovered a series of high-risk security vulnerabilities in the EOS blockchain platform. It has been verified that some of these vulnerabilities can remotely execute arbitrary code on the EOS node. That is, remote attacks can directly control and take over all nodes running on EOS.
On the early morning of the 29th, 360 first reported the vulnerability to EOS officials and helped them repair the security risks. The person in charge of the EOS MainNet said that the EOS MainNet willn’t be officially launched until these issues are fixed.
Defective blockchain vulnerability
Vulnerabilities in the traditional software domain may be exploited to initiate cyber attacks, causing data, privacy leaks, and even the impact of real life. The cryptocurrency itself is a set of financial systems. The security loopholes in cryptocurrency and blockchain networks tend to have more serious and direct impacts.
Due to the decentralized computing characteristics of blockchain networks. A security vulnerability in the implementation of a blockchain node may cause thousands of nodes to be attacked. Even a denial-of-service vulnerability that is considered to be relatively harmless in the area of traditional software vulnerabilities may trigger storm attacks on the entire network in a blockchain network, causing a huge impact on the entire cryptocurrency system.
EOS SuperNode under attack
In an attack, an attacker constructs and publishes a smart contract containing malicious code. The EOS super node will execute this malicious contract and trigger a security hole. The attacker then re-uses the super node to package the malicious contract into a new block, which in turn causes all full nodes in the network (alternate super node, exchange reload point, cryptocurrency wallet server node, etc.) to be controlled remotely.
Since the system of the node is completely controlled, the attacker can “do whatever it wants”, such as stealing the key of the EOS super node, controlling the virtual currency transaction of the EOS network; acquiring other financial and privacy data in the EOS network participating node system, such as an exchange crypto, the user’s key stored in the wallet, key user profiles, privacy data, and more.
What’s more, the attacker can turn a node in the EOS MainNet into a member of a botnet, launch a cyber attack or become a free “miner” and for mining the other ones.
Blockchain – need to pay more attention to safety
EOS is a new blockchain platform known as “blockchain 3.0”. Currently, its market value of tokens is as high as $10 billion, ranking fifth in global market capitalization.
In blockchain networks and cryptocurrency systems, there are many attack surfaces for nodes, wallets, mining pools, exchanges, and smart contracts. The 360 security team has previously discovered and disclosed serious security holes in pools and smart contracts.
The series of new security vulnerabilities discovered by the 360 security team in the smart contract virtual machine on the EOS platform is a series of unprecedented security risks. Security researchers have not found such problems before. This type of security issue affects not only EOS but also other types of blockchain platforms and virtual currency applications.
360 expressed that it is hoped that the discovery and disclosure of this loophole will cause the blockchain industry and security peers to pay more attention and attention to the security of such issues and jointly enhance the security of the blockchain network.