Chinese cyber-security mogul 360 Total Security has identified a series of “epic” security vulnerabilities in the EOS network. The team determined that remote attacks can potentially take over and exercise full control over all the nodes running on the network.
360 Total Security is a leading Chinese company in the field of antivirus software. Reportedly, early on May 29th, their team managed to identify a series of very high-risk security vulnerabilities in the network of EOS. The news appeared on a Weibo publication and was quickly tweeted by social media resource cnLedger:
1/ Chinese Internet security giant 360 has found “a series of epic vulnerabilities” in the #EOS platform. Some of the bugs allow arbitrary code to be executed remotely on EOS nodes and even taking full control of the nodes.
Source (in Chinese): https://t.co/pt6nj6EodP
— cnLedger [Not giving away ETH] (@cnLedger) May 29, 2018
What’s the Problem?
The information shared by 360 goes on to explain what the vulnerabilities consist of. In a potential attack, the wrongdoer has the capability to publish a smart contract which contains malicious code. The supernode of the EOS network will supposedly execute said malicious contract and generate a security hole.
The attacker would then be able to re-use the supernode in order to package the already executed malicious contract into a brand new block which would respectively enable all the full nodes in the network, including the digital currency wallet server node, the alternate supernode, and others, to be remotely controlled.
The blog post goes on to explain that the aforementioned chain of events could allow the attacker to do whatever he wants. He could, in theory, steal the key of the network’s supernode, control the transactions of virtual currencies carried out on the EOS network, acquire the users’ keys stored in their wallets, access key user profiles, and whatnot.
Going further, a potential attack could cause damage to external networks as well:
…the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free “miner” and dig up other digital currencies.
We are yet to see an official response on behalf of EOS’ team. However, according to the original publication, the 360 team has reported the bugs to EOS and that:
The person in charge of the EOS network said that the EOS network will not be officially launched until these issues are fixed.
The transition of the current Ethereum-based EOS tokens is supposed to happen as the platform’s main network launches on June 2nd. For eosDAC, the date is June 1st, 2018, at 11:59 UTC.