Qihoo 360, a Chinese internet security company, has discovered multiple critical vulnerabilities in the blockchain and smart contracts platform. Qihoo 360 has published huge vulnerabilities on EOS platform. This came only a few days before the upcoming EOS mainnet launch scheduled on 2nd June. According to the company, these vulnerabilities could lead to a full control of cryptocurrencies transactions.
Yuki Chen of Qihoo 360 Vulcan Team and Zhiniang Peng of Qihoo 360 Core Security team found loopholes in EOS when they parsed a WASM FILE. WebAssembly (Wasm, WA) is a web standard that defines a binary format and a corresponding assembly-like text format for executable code in Web pages. It is meant to enable executing code nearly as fast as running native machine code. Researches were able to successfully exploit a buffer out-of-bounds write vulnerability. Hackers could use this vulnerability by uploading a malicious smart contract to the nodes server and after the contract get parsed by nodes server, the malicious payload could execute on the server and because of this hackers can take control of the server. After this attacker could then pack the malicious contract into new block and further control all nodes of the EOS network.
Qihoo 360 reported this vulnerability to EOS. Following image is displaying the vulnerability reporting timeline.
CTO of EOS, Daniel Larimer said that company will not ship the EOS without fixing, and asked researchers to send the vulnerability report privately. Following figure shows the conversation between them
As mentioned in its whitepaper, it is a new blockchain architecture designed to enable vertical and horizontal scaling of decentralized applications. This is achieved by creating an operating system-like construct upon which applications can be built. The software provides accounts, authentication, databases, asynchronous communication, and the scheduling of applications across many of CPU cores or clusters. The resulting technology is a blockchain architecture that may ultimately scale to millions of transactions per second, eliminates user fees, and allows for quick and easy deployment and maintenance of decentralized applications, in the context of a governed blockchain.
Meanwhile, Larimer has announced a bug bounty on Twitter to help coders patch any remaining vulnerabilities before the software’s 1.0 release.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018
Follow us on Social Media and subscribe to our free crypto newsletter!
Diskutiere mit uns!
This post may contain promotional links that help us fund the site. When you click on the links, we receive a commission - but the prices do not change for you! :)
Disclaimer: The authors of this website may have invested in crypto currencies themselves. They are not financial advisors and only express their opinions. Anyone considering investing in crypto currencies should be well informed about these high-risk assets.
Trading with financial products, especially with CFDs involves a high level of risk and is therefore not suitable for security-conscious investors. CFDs are complex instruments and carry a high risk of losing money quickly through leverage. Be aware that most private Investors lose money, if they decide to trade CFDs. Any type of trading and speculation in financial products that can produce an unusually high return is also associated with increased risk to lose money. Note that past gains are no guarantee of positive results in the future.