Connect with us

EOS

Understanding the exploit that made EOS.IO “unusable” for two hours

On Sept. 13, an attacker flooded the EOSIO network to drain $110,000 in EOS from a gambling dApp. During the process, many user-facing applications were unusable due to congestion. Here’s how the hacker did it, in detail.

Basics of the network congestion exploit

Four days ago, an attacker pushed the EOS network into “high congestion mode” as part of a smart contract exploit. The maneuver temporarily made some free network resources unavailable, making many applications on the network “unusable” to smaller token holders for over two hours.

Although the network was still accessible (for example, a block explorer would still work), many were “prevented from publishing updates” or “doing anything actively on the chain” unless they paid for prohibitively costly network resources.

At the peak of network congestion, it required nearly 12 EOS to make a single feeless transaction on the network, said one community member. For context, Most blockchains attach a fee directly to transactions. EOSIO allows users to stake their tokens in exchange for network resources.

The attacker was able to rent a huge amount of network resources on a recently opened resource exchange. These resources were leveraged to select which valid transactions would get included on the blockchain to manipulate gambling dApp outcomes.

During this time, the maintainers of the gambling dApp did not have enough EOS on hand to take their contract offline (or take any preventative actions at all). This allowed the attacker to drain the smart contract for 30,000 EOS, at the cost of 300 EOS in rented network resources, at their leisure.

Identifying the attacker

Beginning Aug. 17, the user “mumachayinmm” started conducting tests against a variety of gambling dApps. After just under a month of testing, mumachayinmm rented the equivalent of 1.45 million EOS in network resources.

Previously, this would have required some $5.8 million in tokens. But REX, a new service launched in May, allows users to stake their EOS for security and voting purposes while selling the network resources their stake entitles them to. After REX, 1.45 million EOS in network resources cost just $1,200.

Resources on the attacker's account
Source: Bloks.io

On Sept. 13, mumachayinmm started flooding EOSIO with hundreds of thousands of transactions.

Spam transactions
Sample of some of the attacker’s spam transactions. Source: Bloks.io

Technical details behind the gambling dApp exploit

EOSPlay is a decentralized gambling dApp that offers games such as poker and dice. What made the service exploitable was how it generated random numbers for these games.

Instead of using a secure source of randomness, EOSPlay used the EOSIO blockchain as its source of entropy. Unfortunately, information on a blockchain can be manipulated.

As an example, on Bitcoin miners who find a block get to select which transactions are included at their discretion, so long as they’re legal transactions. Theoretically, if a dApp used transactions on Bitcoin to make calculations then large miners could game it.

On EOSIO, a similar way to manipulate the blockchain is to amass enough network resources to include whichever transactions are desired over all other users.

Specifically, what the attacker did was put deferred transactions into each block, said Dexaran, a respected smart contract developer. These blocks were the ones EOSPlay used to calculate random numbers.

By monopolizing network resources, the attacker could then calculate the random number before the contract could. If the number was a losing number, then the deferred transactions started an “infinite loop,” pushing random number generation to the next block, said Dexaran.

The maneuver allowed mumachayinmm to win on EOSPlay over and over again.

Illicit EOS winnings
Tens of thousands of EOS in illicit winnings. Source: Bloks.io

EOSPlay helpless during the attack

To make matters worse, the maintainers behind the gambling dApp did not stake enough EOS to cover their contract operation costs when EOSIO’s conservative mode was triggered. This was an oversight on the part of the maintainers.

With network resources monopolized the maintainers needed to have enough liquid EOS on hand to ensure a transaction to halt the contract would go through. It appears they didn’t have the tokens on hands, allowing the attacker to bide their time as the contract was drained.

These spam attacks aren’t unique to EOS. Networks such as Bitcoin and Ethereum are also vulnerable to spam attacks should a wealthy token holder wish to pay for them (though they are prohibitively expensive in most cases).

Block.one executives respond

Block.one CTO and creator of EOSIO Daniel Larimer took to Twitter to dispel the “FUD” around the network congestion attacks. He asserted the network was “working as intended”:

Yet, these assertions are in conflict with Larimer’s May 2018 comments while he was touting the “feeless” design of EOSIO:

“On EOSIO, no single user has the ability to saturate the entire network no matter how much money they’re willing to spend.”

Yet, that is exactly what happened during this exploit. The attacker saturated the network by spending a paltry $1,200.

Block.one CEO Brendan Blumer also took to social media to defend EOSIO. Though, he was rather vague on specific actions until pressed by a community member.

If a user stakes EOS they will always have access to network resources, he claims. But the amount will vary substantially, and when paying customers are using it all, it’ll be necessary to pay to maintain the same level of access, stated Blumer.

Issues raised

The recent exploit raises serious questions about the EOSIO blockchain. Jared Moore, an active community member asked: If the network is at risk of sudden spikes in resource cost, how much liquid EOS should developers have on hand to ensure they’re protected? Without guidance, dApp developers will continue to be vulnerable to these kinds of exploits, he argued.

Another issue is access. As EOS gains more usage it’s likely the network will eventually enter a state of constant “high congestion mode,” voiced another enthusiast.

This means developers and corporations, rather than small-time users, will dominate access to resources on the network—raising questions as to who the network is built for. These same corporations could also monopolize resources on the network, said Moore, in essence becoming gatekeepers.

On the bright side, such a scenario would make EOS like owning land, said another commentator, giving the token value through the network resources it entitles the owner to.

Dexaran, a security engineer and the creator of the ERC-223 token standard, made the following suggestion to mitigate future congestion attacks on dApps:

“It would be nice to calculate how much EOS you need to put into a ‘reserve’ account to make sure you have access to your contracts even during harsh congestion,” he commented.

Another community member voiced a need for better ways to calculate staked EOS needs under different network conditions:

“The key issue here is that the community has gotten used to the amount of free transactions they receive when the network is relatively unused. We need better estimates of how much EOS you need staked during different network conditions.”

He went on to describe problems with how staking is treated on the network.

“I also have a really big issue with the fact that EOSIO does not prioritize ‘staking’ transactions. When these conditions happen, folks attempting to stake more EOS should be allowed to (once per account) as a priority transaction. When I’ve paid for huge sums of EOS, it’s ridiculous when I get locked out and can’t allocate more to my account. I can’t ‘pay for more’ even if I wanted to.”

Designing a public blockchain is a complicated business. Things will go wrong. Right now, it’s very costly to build useful apps on any blockchain. Block.one executives should take the lead to make the development experience easier and less risky, paving the way for mass adoption, rather than maintaining hardliner positions that ‘nothing’s wrong.’

News Source

EOS

EOS Daily Tech Analysis – 17/02/20

EOS

EOS slid by 7.68% on Sunday. Following on from an 11.38% tumble on Saturday, EOS ended the day at $4.3850.

A bullish start to the day saw EOS rise to an early morning intraday high $4.8500 before hitting reverse.

Falling short of the first major resistance level at $5.2561, EOS slid to a late afternoon intraday low $4.0500.

EOS fell through the first major support level at $4.3749 before recovering to $4.38 levels late in the day.

At the time of writing, EOS was down by 4.66% to $4.1807. A bearish start to the day saw EOS fall from an early morning high $4.4002 to a low $4.1230.

EOS left the major support and resistance levels untested early on.

For the day ahead

EOS would need to move through to $4.43 levels to support a run at the first major resistance level at $4.8067.

Support from the broader market would be needed, however, for EOS to break out from the early morning high $4.4002.

Barring a broad-based crypto rebound, resistance at $4.50 levels would likely leave EOS short of the first major resistance level.

Failure to move through to $4.43 levels could see EOS struggle throughout the day.

A fall back through the morning low $4.1230 would bring the first major support level at $4.0067 into play.

Barring an extended crypto sell-off, however, EOS should steer of sub-$4.00 levels.

Looking at the Technical Indicators

Major Support Level: $4.0067

Major Resistance Level: $4.8067

23.6% FIB Retracement Level: $6.62

38% FIB Retracement Level: $9.76

62% FIB Retracement Level: $14.82

News source

Continue Reading

EOS

EOS Daily Tech Analysis – 15/02/20

EOS

EOS rose by 0.08% on Friday. Following on from a 0.42% gain on Thursday, EOS ended the day at $5.3600.

A choppy start to the day saw EOS rise to an early morning intraday high $5.4234 before hitting reverse.

Falling short of the first major resistance level at $5.5044, EOS slid to a mid-morning intraday low $5.2173.

Steering clear of the first major support level at $5.1883, EOS recovered to $5.38 levels before easing back to an afternoon low $5.2760.

Finding support late on recovered to $5.30 levels to close out the day in the green.

At the time of writing, EOS was down by 1.64% to $5.2723. A mixed start to the day saw EOS rise to an early morning high $5.3872 before sliding to a low $5.2265.

Falling short of the major resistance levels, EOS fell through the first major support level at $5.2437 early on.

For the day ahead

EOS would need to move back through to $5.33 levels to support a run at the first major resistance level at $5.4498.

Support from the broader market would be needed, however, for EOS to break out from Friday’s high $5.4234.

Barring a broad-based crypto rebound, the first major resistance level at $5.4498 and Friday’s high would likely limit the upside on the day.

Failure to move back through to $5.33 levels could see EOS fall deeper into the red.

A fall back through the first major support level at $5.2437 would bring sub-$5.20 levels into play.

Barring an extended crypto sell-off, however, EOS should continue to steer of the second major support level at $5.1275.

Looking at the Technical Indicators

Major Support Level: $5.2437

Major Resistance Level: $5.4498

23.6% FIB Retracement Level: $6.62

38% FIB Retracement Level: $9.76

62% FIB Retracement Level: $14.82

News Source

Continue Reading

EOS

EOS Price Analysis: EOS/USD bulls and bears lock each other down as price settles around $5.30

  • The $5.37 resistance level seems to have stopped any upward movement.
  • The RSI indicator is trending around 83.33 inside the overbought zone.

EOS/USD daily chart

EOS/USD daily chart

Over the last three days, EOS/USD has been trending horizontally around the $5.30-mark as the bulls and bears have locked each other down. The $5.37 resistance line is holding the price down and will need to be overcome to enter the $5.50-zone. The MACD indicator shows decreasing bullish momentum, while the Elliott Oscillator has had a red session follow nine straight green sessions. The RSI indicator is trending around 83.33 inside the overbought zone, which shows that further price correction may be round the corner. The bulls will need to protect the $5.15 support line to prevent any further downward movement. 

News :source.

Continue Reading
Open

Close