Qihoo 360, a Chinese Cybersecurity company, recently found several vulnerabilities in EOS‘ Blockchain and Smart Contract platform. This came just a few days before the scheduled release of the EOS‘ Mainnet at the 02. June. According to the company, the uncovered could lead to complete control of crypto-currency transactions.
Yuki Chen of Qihoo 360 Vulcan Team and Zhiniang Peng from Qihoo 360 Core Security Team found vulnerabilities in the EOS, as they analyzed a WASM file. WebAssembly (Wasm, WA) is a web standard that defines a binary format, and a corresponding similar text format for executable Code in web pages. It allows the execution of Code almost as fast as Executing native machine code. The researchers were able to Out-of-Bounds Write vulnerability, a successful exploit. Hackers could exploit this vulnerability by uploading a malicious Smart Contract on the Node Server, and after the Treaty of the Nodes-servers has been analysed, could be executed, the malicious payload to the Server, and hackers could take control of the Server. After that, this attacker could grab the harmful to the Smart-Contract into a new Block and all the Noden of the EOS-network control.
Qihoo 360 reported EOS of this vulnerability. The following picture describes the process of the discovery of this vulnerability.
The CTO of EOS, Daniel Larimer, explained that the company would correct the weak points before the Mainnet will be published. He asked the researchers the vulnerability report sent to him privately.
What is EOS?
According to the white paper of the project it is EOS to a new Blockchain architecture that allows horizontal and vertical scalability for decentralized applications. The Software offers accounts, authentication, databases, asynchronous communication and the planning of applications across many CPU cores or clusters. The resulting technology is a Blockchain architecture, the scale, ultimately, to millions of transactions per second, user fees are avoided and a quick and easy deployment and maintenance of distributed applications in the context of a controlled Blockchain.
In the meantime, Larimer has announced a Bug-Bounty on Twitter, to help programmers to patch the existing vulnerabilities in the Version 1.0 of the Software.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018