Chinese Firm 360 Claims EOS Possesses Flaw that Permits Remote Control of Full Nodes
EOS logo and a chain illustration

Chinese Firm 360 Claims EOS Possesses Flaw that Permits Remote Control of Full Nodes

May 29, 2018, 8:51AM
Coins and Tokens 2 min, 2 sec READ
by Abhimanyu Krishnan

Chinese security firm 360 has reportedly discovered critical security flaws in major project EOS, which allows remote control of full nodes.

Reports from Weibo, the popular Chinese microblogging site, are communicating that EOS, the major Ethereum rival with a market cap of over $1.5 billion and ranked 5th on Coinmarketcap, has major security vulnerabilities that could lead to full nodes being compromised. The original source can be found here. The EOS team is yet to respond to this revelation.

The security vulnerabilities were first discovered by Chinese security and research firm 360. The vulnerabilities in question would allow code to be executed remotely on EOS nodes. Earlier this month, Vitalik Buterin directly commented on EOS’ GitHub page, indicating the security weaknesses of the project’s consensus mechanism, albeit for a different reason. 

The exploit works by creating a smart contract that contains malicious code. When the EOS super node executes the contract, it creates the security flaw that allows all nodes to be controlled remotely.

The post states:

“Specifically, in an attack, an attacker constructs and publishes a smart contract containing malicious code, and the EOS super node will execute this malicious contract and trigger a security hole in it. The attacker then re-uses the super node to package the malicious contract into a new block, which in turn causes all full nodes in the network (alternate super node, exchange reload point, digital currency wallet server node, etc.) to be controlled remotely.” 

RELATED ARTICLES

If proven to be true, this is no small flaw in the network. Attackers who possess control over the nodes in a network have virtually total control of how the network functions. They can determine the validity of transactions, make it a member of a botnet and dig up private data.

EOS Launch May be Delayed

Fortunately, for token holders of EOS, 360 has reported the vulnerability to the EOS team. No official response has been made yet, though the launch of the platform, slated for June 1, has apparently been delayed. 

While the news of this will rain on investors’ parade, the discovery of such vulnerabilities is a vital step in the lifetime of a project. Such flaws have devastating consequences for blockchain-based services, given that it directly affects the finances of users. The EOS project might then consider itself lucky that the flaw was discovered before the launch of its mainnet. 

This is a developing story...

Disclaimer: information contained herein is provided without considering your personal circumstances, therefore should not be construed as financial advice, investment recommendation or an offer of, or solicitation for, any transactions in cryptocurrencies.