Qihoo 360, a Chinese internet security company, has discovered multiple critical vulnerabilities in the blockchain and smart contracts platform. Qihoo 360 has published huge vulnerabilities on EOS platform. This came only a few days before the upcoming EOS mainnet launch scheduled on 2nd June. According to the company, these vulnerabilities could lead to a full control of cryptocurrencies transactions.
Yuki Chen of Qihoo 360 Vulcan Team and Zhiniang Peng of Qihoo 360 Core Security team found loopholes in EOS when they parsed a WASM FILE. WebAssembly (Wasm, WA) is a web standard that defines a binary format and a corresponding assembly-like text format for executable code in Web pages. It is meant to enable executing code nearly as fast as running native machine code. Researches were able to successfully exploit a buffer out-of-bounds write vulnerability. Hackers could use this vulnerability by uploading a malicious smart contract to the nodes server and after the contract get parsed by nodes server, the malicious payload could execute on the server and because of this hackers can take control of the server. After this attacker could then pack the malicious contract into new block and further control all nodes of the EOS network.
Qihoo 360 reported this vulnerability to EOS. Following image is displaying the vulnerability reporting timeline.
CTO of EOS, Daniel Larimer said that company will not ship the EOS without fixing, and asked researchers to send the vulnerability report privately. Following figure shows the conversation between them
As mentioned in its whitepaper, it is a new blockchain architecture designed to enable vertical and horizontal scaling of decentralized applications. This is achieved by creating an operating system-like construct upon which applications can be built. The software provides accounts, authentication, databases, asynchronous communication, and the scheduling of applications across many of CPU cores or clusters. The resulting technology is a blockchain architecture that may ultimately scale to millions of transactions per second, eliminates user fees, and allows for quick and easy deployment and maintenance of decentralized applications, in the context of a governed blockchain.
Meanwhile, Larimer has announced a bug bounty on Twitter to help coders patch any remaining vulnerabilities before the software’s 1.0 release.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018