EOS.IO phasing out free network resources after smart contract exploit
Block.one is planning to phase out free network resources on EOSIO after the feature allowed an attacker to exploit a smart contract for 30,000 EOS.
On the heels of v1.8, network’s first consensus hard fork upgrade, Block.one is moving block producers to eliminate free network resources. Currently, during times of low congestion surplus resources are distributed back to token holders. Instead, the company behind EOSIO wants to eliminate the redistribution of surplus resources.
According to the firm, such a change would introduce greater stability and predictability for the network.
Smart contract exploit
In mid-September the gambling dApp EOSPlay was exploited for 30,000 EOS, worth $110,000 at the time, by abusing developers’ expectations of free network resources.
The exploit was conducted by pushing the network into “high congestion mode,” the end of free network resources, by renting a huge amount of network resources from EOSIO’s recently implemented resource exchange, REX. Many dApps and users on the network weren’t ready to handle the sudden shock to resource availability.
“Some users have taken it upon themselves to wastefully consume the ‘free’ bandwidth offered when those who have reserved bandwidth don’t utilize it,” said Block.one, likely alluding to the incident. “This behavior forces the network to reduce the amount of ‘free’ bandwidth it offers to all users, and disrupts those that have come to rely on a consistency of free resources.”
As a result, many applications on the network were made “unusable” and smaller token holders were inhibited from using dApps and wallets for over two hours. And, during the state of high network congestion the attacker was able to manipulate the transactions included on the blockchain to guarantee wins on EOSPlay, allowing them to drain the smart contract.
Block.one’s response
The incident sparked considerable feedback and criticism toward Block.one. Both Brendan Blumer and Dan Larimer, the CEO and CTO of the firm, took to social media to address the exploit.
“Recent events have evidenced that the existence of ‘sometimes free’ bandwidth creates unrealistic expectations in both developers and users who don’t fully understand the specifics of EOSIO design,” stated Block.one in its recent announcement.
To address these “unrealistic expectations” Block.one is phasing out free resources entirely.
“Removing this feature will ensure everyone adapts to securing network resources through renting or staking tokens, and will result in an improved user experience where every user always gets what they expect,” stated Block.one. “We believe it’s now time to operate the network as if it is experiencing high volumes all the time.”
Implementing the change
First, Block.one is recommending that block producers take advantage of EOSIO’s “grey list” feature. The grey list allows block producers to restrict users solely to their allocation of guaranteed resources, removing their access to free resources. The feature allows block producers to cut off users who abuse free resources, said Block.one.
To phase out free resources from the network, Block.one plans to introduce a new feature that would allow block producers to apply the grey list to all accounts and gradually reduce free resources for all users.
Although, the company is not ruling out the possibility of a hard fork upgrade to implement the feature.
“Block.one believes that a hard fork could be used as another effective measure to make the shade of grey listing a global consensus parameter, rather than a setting individually implemented by each block producer.”
Following the exploit, it seems that Block.one is paying heed to feedback from the community.