A well-known Chinese internet security research firm Qihoo 360 has discovered a critical bug on EOS producer node that can be used by hackers to manage code on nodes remotely. After that, it has warned the EOS blockchain project about a series of epic vulnerabilities that were found out on the platform.
The official blog post on Qihoo 360’s website reads:
“This vulnerability could be leveraged to achieve remote code execution in the nodeos process, by uploading malicious contracts to the victim node and letting the node parse the malicious contract. In a real attack, the attacker may publish a malicious contract to the EOS main network”.
It is said that the private key of super nodes can be stolen by hackers and used for controlling content of newly created blocks. Moreover, attackers may have an opportunity to implement malicious contracts into new blocks and make them publicly available. As a result, it may happen that the entire network with all the nodes can appear under control of the attacker.
Subsequently, attackers may obtain the right of managing all nodes on the network, including those of cryptocurrency wallets and exchanges which will enable attackers receive full control of secret keys to cryptocurrency transactions.
Qihoo 360 has informed EOS lead developer Daniel Larimer about this alarming issues, nevertheless, there is still no official public comments on the situation from EOS.
The only publicly available response was posted by Larimer on Github:
“If any of these asserts trigger in release it shouldn’t pass, but should throw. Allowing the code to continue running in release is a potential security vulnerability and will likely result in crashes elsewhere”.
At the moment, there is still no precise information whether the launch of EOS, that is planned to take place this weekend, will now happen on time or will be postponed due to the occurred challenges.
Bugs may sometimes appear and can be fixed just in a couple of hours but the type of bug that has been revealed in this very case is considered by some external experts too serious to be urgently fixed just in a couple of days before launch.
Meanwhile, Daniel Larimer appeared on Twitter asking for some more help in finding other possible bugs that may have negative impact on the platform’s security and effectiveness of the system.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018
EOS coin is the world’s fifth largest cryptocurrency with a market cap of $10,6 bln. After the Qihoo 360 ’s report was published, we had an opportunity to observe declining trends in EOS prices. It lost approximately 11% and could be purchased for $10.93. Nevertheless, as it is informed by CoinMarketCap, at the press time the coin is traded at $11.99, which means that it is slowly recovering.