EOS Still Patching ‘Epic Vulnerabilities’ Just Days Ahead of Launch
Highly-anticipated blockchain project EOS is just days away from its scheduled production release, but its development team is still patching what security researchers have described as “epic vulnerabilities” present in its codebase. China-based cybersecurity firm Qihoo 360 on Tuesday reported that it had identified security flaws that would allow attackers to use a malicious smart contract to gain control of “all nodes of the EOS network” and manipulate transactions at will. The attacker could also turn those nodes into a de facto botnet, which they could then use to mine another cryptocurrency network or even launch a cyber attack. From the report:”The attacker can steal the private key of super nodes or control content of new blocks. What’s more, attackers can pack the malicious contract into a new block and publish it. As a result, all the full nodes in the entire network will be controlled by the attacker.”The disclosure of the vulnerability immediately raised questions about whether EOS would ship its code in early June as scheduled. EOS creator Block.one has yet not addressed the issue publicly and did not immediately respond to a request for comment. However, Qihoo 360 published screenshots indicating that its team was in contact with EOS lead developer Daniel Larimer, who quickly patched the issue on GitHub. He wrote:”If any of these asserts trigger in release it shouldn’t pass, but should throw. Allowing the code to continue running in release is a potential security vulnerability and will likely result in crashes elsewhere.”Meanwhile, Larimer has announced a bug bounty to help developers patch any remaining vulnerabilities before the software’s 1.0 release. Researchers can receive $10,000 awards for each unique bug that “can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts.”Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.— Daniel Larimer (@bytemaster7) May 28, 2018The EOS price entered a sharp decline following the disclosure of the vulnerability, though it has regained some of that lost ground in the hours since Larimer released a patch. At present, EOS is trading at a global average of $11.96, which represents a one percent decline against USD but a four percent decline against ETH