Ongoing EOSIO exploit allows attacker to gain 30,000 EOS as network freezes

An ongoing exploit on EOSIO is allowing an attacker to win every roll on gambling dApp EOSPlay by paying to fill blocks with their transactions. So far, the attacker gained 30,000 EOS worth over $110,000 while making the network “unusable.”

Scale of the exploit

A clever attacker was able to use REX, an EOS resource exchange for RAM and CPU, to ensure that blocks were filled with their transactions to continuously win on the gambling dApp EOSPlay. This resulted in the EOSIO network “freezing” as thousands of EOS were fed to the attacker’s wallet, as confirmed by another source.

For 300 EOS, worth a little over $1,000, the attacker was able to make away with 30,000 EOS tokens, said Jared Moore to CryptoSlate, an active community member. A look at the on-chain transactions involved confirms the attack.

Transactions showing consecutive wins on EOSPlay. Source: bloks.io

One anonymous smart contract developer, the creator of the ERC-233 token, stated the attack may have impacted more than just EOSPlay. The attacker appears to be leveraging multiple accounts to exploit several different smart contracts.

It seems that the scale of the attack is much larger than we originally expected.
These are attacker's accounts:https://t.co/wdeRVVHT4V https://t.co/euC2gEncj7 https://t.co/7mrpdRfGLi https://t.co/Wsl578HVPa https://t.co/I0aTR8OvbQ https://t.co/7ixE6VCoLf https://t.co/1QIOQDfDlw
— Dexaran (@Dexaran) September 13, 2019

Mechanics behind the attack

As for the method behind the attack, EOSIO Alabama explained that the billing rate for CPU resources dynamically increases on REX.

“Everyone basically gets locked out unless they have more EOS staked than the attacker,” he reasoned.

In this instance, the attacker had roughly 900,000 EOS staked and allocated to CPU, seemingly preventing others from accessing the resource. The anonymous security engineer supported this theory, saying that “by congesting the network the attacker disallowed anyone to send transactions because the cost was too high for most users.”

That same developer stated that his EOS only provided 0.2 percent of the network resources EOSIO would normally divvy-up to stakers, an indicator of how serious the congestion was.

2/ Explanation:
Probably the RNG of attacked gambling DApps could use some transactions or data from earlier blocks as a source of entropy.
It's easier to manipulate "previous blocks" when the network is congested and you are the only one having resources to send transactions.
— Dexaran (@Dexaran) September 14, 2019

What’s even more insidious: the owners of the smart contracts would have difficulty disabling their contracts due to the network congestion and lack of network resources, as described above, said the developer. Until there’s a fork or a patch, the exploit can continue to be abused whenever an EOSIO user spends $1,000 or more on REX, Moore added.

EOSPlay should be avoided until the exploit is fixed. For the rest of the network, people’s funds should not be at risk from the exploit.

Information is being added to this story as things unfold.

EOS Market Data

At the time of press 2:27 am UTC on Nov. 7, 2019, EOS is ranked #7 by market cap and the price is down 0.07% over the past 24 hours. EOS has a market capitalization of $3.76 billion with a 24-hour trading volume of $2.02 billion. Learn more about EOS ›

Crypto Market Summary

At the time of press 2:27 am UTC on Nov. 7, 2019, the total crypto market is valued at at $263.68 billion with a 24-hour volume of $50.05 billion. Bitcoin dominance is currently at 69.39%. Learn more about the crypto market ›

Mentioned in this article

EOS

Block.one

Posted In: EOS, Hacks, Price Watch

Disclaimer: Our writers' opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.

Trump eyeing former CFTC chair Chris Giancarlo for White House ‘crypto czar’ role

SEC Chair Gary Gensler to step down on Jan. 20

Agant’s GBPA aims to transform UK’s digital finance landscape with regulatory-first approach

Bitwise registers Solana Trust signalling future SEC application for SOL spot ETF

Trump’s Crypto Advisory Council to setup promised Strategic Bitcoin Reserve – Report

Japan to ease crypto taxation under new stimulus package

BIS report on DeFi activity reveals institutional traders heavily outmaneuver retail on Uniswap

ICP identity protocol DecideID to launch on Solana eliminating any KYC need for DeFi

DCG launches Yuma to fuel decentralized AI innovation with Bittensor

Trump eyeing former CFTC chair Chris Giancarlo for White House ‘crypto czar’ role

South Korea links major crypto heist to North Korea, recovers Bitcoin

Tether prints $5 billion USDT in 5 days adding to bull run market liquidity

Societe Generale expands its stablecoin to XRP Ledger to drive further adoption

Bitcoin registers new all-time high inches away from $94,000

Bitcoin surges to $97k as market leverage hits historic $63 billion

Memecoin revival drives Solana DEX Raydium past Tether in fees

Ethereum falls to 4-year low against Bitcoin as BTC breaks above $94k

Bitcoin ETFs record over $1 billion inflow in 2 days as new price peak boosts investments

Stablecoin market hits 2-year high of $183B amid Trump victory fueled optimism

Crypto liquidations become elevated hitting highest persistent level of 2024 amid Bitcoin rally

OORT’s Max Li emphasizes blockchain’s role in AI trust and ethics revolution

Sunny Aggarwal’s vision for seamless cross-chain trading with Polaris

The rise of crypto neobanks: Nikolai Denisenko on Brighty’s mission

Revolutionizing Biotech: Paul Kohlhaas discusses decentralized science and open innovation

Sui aims to become the “Internet Coordination Layer,” says Mysten Labs Co-Founder

Liquidium CEO Robin Obermaier discusses Bitcoin DeFi and cross-chain lending

Ongoing EOSIO exploit allows attacker to gain 30,000 EOS as network freezes

Scale of the exploit

Mechanics behind the attack

EOS Market Data

EOS

$4.04

Crypto Market Summary

Mentioned in this article

Nansen Collaborates with TRON DAO to Empower Developers and Users with Advanced Blockchain Insights

Featured Story

Nansen Collaborates with TRON DAO to Empower Developers and Users with Advanced Blockchain Insights

In this article

Block.one

Ike Goes Live on Mainnet: Unlocking Liquid Staking on Aleph Zero

Coinshift Launches csUSDL, Announces Strategic Partnerships

Bitcoin surges to $97k as market leverage hits historic $63 billion

Memecoin revival drives Solana DEX Raydium past Tether in fees

Ethereum falls to 4-year low against Bitcoin as BTC breaks above $94k

Bitcoin ETFs record over $1 billion inflow in 2 days as new price peak boosts investments

Stablecoin market hits 2-year high of $183B amid Trump victory fueled optimism

Crypto liquidations become elevated hitting highest persistent level of 2024 amid Bitcoin rally

OORT’s Max Li emphasizes blockchain’s role in AI trust and ethics revolution

Sunny Aggarwal’s vision for seamless cross-chain trading with Polaris

The rise of crypto neobanks: Nikolai Denisenko on Brighty’s mission

Revolutionizing Biotech: Paul Kohlhaas discusses decentralized science and open innovation

Sui aims to become the “Internet Coordination Layer,” says Mysten Labs Co-Founder

Liquidium CEO Robin Obermaier discusses Bitcoin DeFi and cross-chain lending

Bitcoin

Binance USD

Tether

First Digital USD

Cardano

XRP

Solana

Chainlink

Dennis Porter

Donald Trump

Eric Balchunas

James Seyffart

Hunter Horsley

Jeffrey Park

Charles Hoskinson

Brian Armstrong

John Deaton

Michael Saylor

Gary Gensler

Jesse Powell

Hester Peirce

Brad Garlinghouse

Jay Clayton

Tyler Winklevoss

Kelly Loeffler

Anthony Scaramucci

Nayib Bukele

Justin Sun

Jason Lowery

Thomas Lee

Satoshi Action Fund

BlackRock

Binance

Ethena Labs

Tether Limited

Bitwise

Coinbase

Input Output

Microsoft

MicroStrategy

OpenAI

Google

Apple

Kraken

Grayscale Investments

Ripple

VanEck

Fidelity Investments

Bakkt

Bitfinex

CryptoQuant

Goldman Sachs

Nasdaq

Nvidia

Marathon Digital

Metaplanet

BitGo

Franklin Templeton

UPbit

Ongoing EOSIO exploit allows attacker to gain 30,000 EOS as network freezes

Scale of the exploit

Mechanics behind the attack

EOS Market Data

$4.04

Crypto Market Summary

Mentioned in this article