On Sept. 13, an attacker flooded the EOSIO network to drain $110,000 in EOS from a gambling dApp. During the process, many user-facing applications were unusable due to congestion. Here’s how the hacker did it, in detail.
Basics of the network congestion exploit
Four days ago, an attacker pushed the EOS network into “high congestion mode” as part of a smart contract exploit. The maneuver temporarily made some free network resources unavailable, making many applications on the network “unusable” to smaller token holders for over two hours.
Although the network was still accessible (for example, a block explorer would still work), many were “prevented from publishing updates” or “doing anything actively on the chain” unless they paid for prohibitively costly network resources.
At the peak of network congestion, it required nearly 12 EOS to make a single feeless transaction on the network, said one community member. For context, Most blockchains attach a fee directly to transactions. EOSIO allows users to stake their tokens in exchange for network resources.
The attacker was able to rent a huge amount of network resources on a recently opened resource exchange. These resources were leveraged to select which valid transactions would get included on the blockchain to manipulate gambling dApp outcomes.
During this time, the maintainers of the gambling dApp did not have enough EOS on hand to take their contract offline (or take any preventative actions at all). This allowed the attacker to drain the smart contract for 30,000 EOS, at the cost of 300 EOS in rented network resources, at their leisure.
Identifying the attacker
Beginning Aug. 17, the user “mumachayinmm” started conducting tests against a variety of gambling dApps. After just under a month of testing, mumachayinmm rented the equivalent of 1.45 million EOS in network resources.
Previously, this would have required some $5.8 million in tokens. But REX, a new service launched in May, allows users to stake their EOS for security and voting purposes while selling the network resources their stake entitles them to. After REX, 1.45 million EOS in network resources cost just $1,200.
On Sept. 13, mumachayinmm started flooding EOSIO with hundreds of thousands of transactions.
Technical details behind the gambling dApp exploit
EOSPlay is a decentralized gambling dApp that offers games such as poker and dice. What made the service exploitable was how it generated random numbers for these games.
Instead of using a secure source of randomness, EOSPlay used the EOSIO blockchain as its source of entropy. Unfortunately, information on a blockchain can be manipulated.
As an example, on Bitcoin miners who find a block get to select which transactions are included at their discretion, so long as they’re legal transactions. Theoretically, if a dApp used transactions on Bitcoin to make calculations then large miners could game it.
On EOSIO, a similar way to manipulate the blockchain is to amass enough network resources to include whichever transactions are desired over all other users.
Specifically, what the attacker did was put deferred transactions into each block, said Dexaran, a respected smart contract developer. These blocks were the ones EOSPlay used to calculate random numbers.
By monopolizing network resources, the attacker could then calculate the random number before the contract could. If the number was a losing number, then the deferred transactions started an “infinite loop,” pushing random number generation to the next block, said Dexaran.
The maneuver allowed mumachayinmm to win on EOSPlay over and over again.
EOSPlay helpless during the attack
To make matters worse, the maintainers behind the gambling dApp did not stake enough EOS to cover their contract operation costs when EOSIO’s conservative mode was triggered. This was an oversight on the part of the maintainers.
With network resources monopolized the maintainers needed to have enough liquid EOS on hand to ensure a transaction to halt the contract would go through. It appears they didn’t have the tokens on hands, allowing the attacker to bide their time as the contract was drained.
These spam attacks aren’t unique to EOS. Networks such as Bitcoin and Ethereum are also vulnerable to spam attacks should a wealthy token holder wish to pay for them (though they are prohibitively expensive in most cases).
Block.one executives respond
Block.one CTO and creator of EOSIO Daniel Larimer took to Twitter to dispel the “FUD” around the network congestion attacks. He asserted the network was “working as intended”:
Yet, these assertions are in conflict with Larimer’s May 2018 comments while he was touting the “feeless” design of EOSIO:
“On EOSIO, no single user has the ability to saturate the entire network no matter how much money they’re willing to spend.”
Yet, that is exactly what happened during this exploit. The attacker saturated the network by spending a paltry $1,200.
Block.one CEO Brendan Blumer also took to social media to defend EOSIO. Though, he was rather vague on specific actions until pressed by a community member.
If a user stakes EOS they will always have access to network resources, he claims. But the amount will vary substantially, and when paying customers are using it all, it’ll be necessary to pay to maintain the same level of access, stated Blumer.
The recent exploit raises serious questions about the EOSIO blockchain. Jared Moore, an active community member asked: If the network is at risk of sudden spikes in resource cost, how much liquid EOS should developers have on hand to ensure they’re protected? Without guidance, dApp developers will continue to be vulnerable to these kinds of exploits, he argued.
Another issue is access. As EOS gains more usage it’s likely the network will eventually enter a state of constant “high congestion mode,” voiced another enthusiast.
This means developers and corporations, rather than small-time users, will dominate access to resources on the network—raising questions as to who the network is built for. These same corporations could also monopolize resources on the network, said Moore, in essence becoming gatekeepers.
On the bright side, such a scenario would make EOS like owning land, said another commentator, giving the token value through the network resources it entitles the owner to.
Dexaran, a security engineer and the creator of the ERC-223 token standard, made the following suggestion to mitigate future congestion attacks on dApps:
“It would be nice to calculate how much EOS you need to put into a ‘reserve’ account to make sure you have access to your contracts even during harsh congestion,” he commented.
Another community member voiced a need for better ways to calculate staked EOS needs under different network conditions:
“The key issue here is that the community has gotten used to the amount of free transactions they receive when the network is relatively unused. We need better estimates of how much EOS you need staked during different network conditions.”
He went on to describe problems with how staking is treated on the network.
“I also have a really big issue with the fact that EOSIO does not prioritize ‘staking’ transactions. When these conditions happen, folks attempting to stake more EOS should be allowed to (once per account) as a priority transaction. When I’ve paid for huge sums of EOS, it’s ridiculous when I get locked out and can’t allocate more to my account. I can’t ‘pay for more’ even if I wanted to.”
Designing a public blockchain is a complicated business. Things will go wrong. Right now, it’s very costly to build useful apps on any blockchain. Block.one executives should take the lead to make the development experience easier and less risky, paving the way for mass adoption, rather than maintaining hardliner positions that ‘nothing’s wrong.’
EOS Keeps the Bearish Run Intact; Price Hovers Around $3
EOS is battling in the downtrend for a long time. The coin was at $4.3 on August 01, 2019. The month ended with a substantial loss of 23.57% at $3.3. The fall continued in September also. Lately, the currency has experienced a little improvement, and the same is indicating towards a better future.
We have entered in the last quarter of the year. All eyes are upon the board for a better closing. Let’s have a look at the last month’s price movement of EOS.
The last month started with a moderate price movement in EOS. There was an uptrend noted, which took the EOS price to $3.9613 from $3.2560 by 21.8%. Later, the price fell to $3.7153 by 6.21%. Then, again, it went up and reached $4.2384 by 14.55%. Later, the tremendous fall brought EOS price down to $2.4193 by massive drop of 42.92%. There was a recovery in the last few days. That took EOS coin price to $3.1259 by 29% progression. The month locked 6.54% loss as it opened at $3.3445 and closed at $3.1259. The ongoing month is reflecting upward movement. In the last few days, EOS moved from $2.9971 to $3.3700 by 12.4%.
EOS Price Prediction
EOS is dealing among the top ten cryptocurrencies in the market. Traders are still hoping for an improvement and thus sticking around. EOS is also speculated to experience the price rally soon.
As per the current statistics, the market cap of EOS is at 2,935,684,716 USD. Out of the total supply of 1,032,096,275 EOS, there are 935,396,263 EOS coins circulating in the market. The ROI is at 204.31%. The 24-hour volume is at 1,675,918,670 USD.
EOS has recovered strongly and likely to break its next resistance of $3.25 soon. By the end of 2019, EOS is likely to trade above $4.20. We would recommend long-term investment as it would give a colossal profit.
Resistance & Support Levels
R1: $3.25, R2: $3.33 and R3: $3.42
S1: $3.08, S2: $2.99 and S3: $2.91
EOS Price Analysis: Primed For More Gains Above $3.30
- EOS price is slowly climbing higher and it recently broke the $3.000 resistance against the US Dollar.
- The price is currently correcting gains, but it remains supported near $3.050 and $3.000.
- There is a crucial bearish trend line forming with resistance near $3.280 on the 4-hours chart of the EOS/USD pair (data feed from Coinbase).
- The pair could rise steadily once there is a clear break above the $3.300 resistance area.
EOS price is trading with a positive bias against the US Dollar and bitcoin. The price is likely to recover towards the $3.450 and $3.650 resistance levels in the near term.
EOS Price Analysis
This past week, there was a downside extension in bitcoin, Ethereum, ripple, litecoin and EOS against the US Dollar. However, the market recovered this week and EOS price started a decent upward move from the $2.850 support area. It surpassed the key $3.000 resistance area. Moreover, there was a close above the $3.080 resistance area and the 55 simple moving average (4-hours).
As a result, there were further gains and the price traded to a new monthly low near $3.313. At the moment, the price is correcting gains below the $3.200 level. Moreover, it traded below the 23.6% Fib retracement level of the recent wave from the $2.850 low to $3.313 high. On the downside, there is a strong support forming near the $3.080 and $3.050 levels.
Additionally, the 50% Fib retracement level of the recent wave from the $2.850 low to $3.313 high is also near the $3.080 level. Therefore, dips towards the $3.080 level remains well supported. If there are further downsides, the price could test the $3.000 support area or the 55 SMA. There is also a connecting bullish trend line forming with support near $3.000 on the 4-hours chart of the EOS/USD pair.
On the upside, there is a key resistance forming near the $3.300 level. Additionally, there is a crucial bearish trend line forming with resistance near $3.280 on the same chart. A successful break above the trend line and $3.300 could set the pace for more gains. The next resistance is near the $3.450 level, above which the price could test the key $3.650 resistance.
Looking at the chart, EOS price is showing a lot of positive signs above the $3.080 and $3.000 support levels. As long as there is no close below $3.000, there are high chances of more gains above $3.300 and $3.450.
Hourly MACD – The MACD for EOS/USD is losing momentum in the bullish zone.
Hourly RSI (Relative Strength Index) – The RSI is currently correcting lower towards the 50 level.
Major Support Levels – $3.080 and $3.000.
Major Resistance Levels – $3.300 and $3.450.
Block.one debuts EOSIO 2 with improvements aimed at developers
EOSIO 2, the second iteration of the EOS blockchain, was unveiled. Block.one, the company behind the blockchain, said that EOSIO 2 was built with developers in mind and will create a faster, simpler, and more secure environment to build on EOS.
A new iteration of EOSIO is on its way
EOSIO, an open-source blockchain protocol, has gotten better and faster. Block.one, the company behind the globally-recognized platform, unveiled EOSIO 2 on Oct. 7, saying the newest iteration of their celebrated platform was built with developers in mind.
According to the company’s official blog post, the focus of EOSIO 2 was to create a faster, simpler, and more secure way to build on EOSIO. Block.one set out to solve problems they believe all developers face when building on blockchains: the speed in which smart contracts are executed, the complexity of onboarding new developers, and the security of private and public keys.
Dan Larimer, the CFO at Block.one, said that EOSIO developers are currently working on solving issues that Ethereum 2.0, which won’t launch for at least two more years, hasn’t even begun considering.
He went onto explain that EOSIO has been consistently scaling ever since it launched in 2017, and is now 16 times faster than it was then.
EOSIO continues to iterate
The company seems to have set out to create the second iteration of EOSIO out of sheer necessity. Block.one previously explained that they were the first to use a WebAssembly (WASM) engine to improve performance. These engines are used to facilitate interactions between executable programs and their host environment, in this case, between smart contracts and a blockchain.
However, EOSIO quickly outgrew all existing general-purpose WASM engines, which is why they decided to build their own. EOS VM, the company’s purpose-built WASM, is 16 times faster than Binaryen WASM, which was released with the first version of EOSIO.
EOSIO 2 will also feature a quick-start development tool that will allow new developers to get into a ready-to-build mode “in minutes.” Furthermore, the blockchain’s second iteration adds WebAuthn support, a secure authentication standard that will allow developers to achieve a level of security for private keys “that doesn’t exist in blockchain today,” Block.one said.
EOS community members can already download EOSIO 2 rc1 and utilize it both on testnet and non-critical EOS nodes, Larimer said in a tweet.
The news about EOSIO 2 seems to have had a strong impact on the price of EOS, which spiked almost 10 percent in just two days. While the coin seems to be on a path toward consolidation on Oct. 9, its price spiked from $2.8 to $3.1 following the announcement.