A new exploit on the EOS network has allowed one hacker to win every roll on the gambling dApp EOSPlay. The individual was able to win some $110,000 through an exploit on the network by artificially filling blocks.
EOS is once again falling into controversy as it has recently been revealed that a hacker was able to exploit EOSIO on a gambling dApp, EOSPlay. The tech-savvy individual was able to run off with over 30,000 EOS in earnings. The on-chain transactions are all visible on the block explorer.
The attack is reportedly more than people initially expected. This is not just an exploit related to EOSPlay. The hacker is alleged to also be targeting multiple smart contracts to render some dApps unusable and to ‘game them’ for more rewards.
It seems that the scale of the attack is much larger than we originally expected.
These are attacker's accounts:https://t.co/wdeRVVHT4Vhttps://t.co/euC2gEncj7https://t.co/7mrpdRfGLihttps://t.co/Wsl578HVPahttps://t.co/I0aTR8OvbQhttps://t.co/7ixE6VCoLfhttps://t.co/1QIOQDfDlw
— Dexaran (@Dexaran) September 13, 2019
As a result of the attack, the EOS network is in ‘congestion mode.’
Staked and Allocated EOS
The dynamics of the attack are difficult to explain to someone not familiar with EOS. Essentially, the attacker had some 900,000 EOS staked and allocated to CPU on EOSIO. The hacker proceeded to exploit EOS’s new ‘Resource Exchange’ (REX), which is a marketplace for the risk-free leasing of CPU and network resources.
Through the EOS staked, the attacker was able to ‘congest’ the network, thus throttling transactions. As Dexaran (@Dexaran) explains:
Probably the RNG of attacked gambling DApps could use some transactions or data from earlier blocks as a source of entropy.
It's easier to manipulate "previous blocks" when the network is congested and you are the only one having resources to send transactions.
— Dexaran (@Dexaran) September 14, 2019
The bottom line is that until there’s a fork or a patch, this exploit can easily be used for any EOSIO user who spends more than $1,000 on Resources Exchange. So, the problem goes much deeper than just EOSPlay. In fact, this could affect a whole slew of dApps, likely without people noticing until it’s too late.
EOS has had a hard time creating a dynamic marketplace for CPU and RAM on its network. As a result, it has struggled with positioning itself as the ‘scalable’ version of Ethereum—an idea which was often touted as a goal.
Considering that Block One has some $3 or so billion in its war chest from its year-long ICO, one has to wonder how much of that has been adequately put towards network security. Given recent controversies, it seems not much.
Do you believe EOS can quickly patch this issue or does this underscore some fundamental problems with the network? Let us know your thoughts below.
Images are courtesy of Twitter, Shutterstock.