Ongoing EOSIO exploit allows attacker to gain 30,000 EOS as network freezes

Ongoing EOSIO exploit allows attacker to gain 30,000 EOS as network freezes

An ongoing exploit on EOSIO is allowing an attacker to win every roll on gambling dApp EOSPlay by paying to fill blocks with their transactions. So far, the attacker gained 30,000 EOS worth over $110,000 while making the network “unusable.”

Scale of the exploit

A clever attacker was able to use REX, an EOS resource exchange for RAM and CPU, to ensure that blocks were filled with their transactions to continuously win on the gambling dApp EOSPlay. This resulted in the EOSIO network “freezing” as thousands of EOS were fed to the attacker’s wallet, as confirmed by another source.

For 300 EOS, worth a little over $1,000, the attacker was able to make away with 30,000 EOS tokens, said Jared Moore to CryptoSlate, an active community member. A look at the on-chain transactions involved confirms the attack.

Transactions showing consecutive wins on EOSPlay. Source: bloks.io

One anonymous smart contract developer, the creator of the ERC-233 token, stated the attack may have impacted more than just EOSPlay. The attacker appears to be leveraging multiple accounts to exploit several different smart contracts.

Mechanics behind the attack

As for the method behind the attack, EOSIO Alabama explained that the billing rate for CPU resources dynamically increases on REX.

“Everyone basically gets locked out unless they have more EOS staked than the attacker,” he reasoned.

In this instance, the attacker had roughly 900,000 EOS staked and allocated to CPU, seemingly preventing others from accessing the resource. The anonymous security engineer supported this theory, saying that “by congesting the network the attacker disallowed anyone to send transactions because the cost was too high for most users.”

That same developer stated that his EOS only provided 0.2 percent of the network resources EOSIO would normally divvy-up to stakers, an indicator of how serious the congestion was.

What’s even more insidious: the owners of the smart contracts would have difficulty disabling their contracts due to the network congestion and lack of network resources, as described above, said the developer. Until there’s a fork or a patch, the exploit can continue to be abused whenever an EOSIO user spends $1,000 or more on REX, Moore added. 

EOSPlay should be avoided until the exploit is fixed. For the rest of the network, people’s funds should not be at risk from the exploit.

Information is being added to this story as things unfold.


Updated: Nov 7 at 2:27 am UTC

EOS, currently ranked #7 by market cap, is down 0.07% over the past 24 hours. EOS has a market cap of $3.76B with a 24 hour volume of $2.02B.

Chart by CryptoCompare

EOS is down 0.07% over the past 24 hours.

Posted In: , Hacks, Price Watch
Invest with AMFEIX

Like what you see? Get more EOSIO news in your inbox

Subscribe to CryptoSlate, our daily newsletter containing the top stories and analysis.

Sign up to stay informed
Mitchell Moos

Mitchell Moos

Contributing Analyst @ CryptoSlate

Mitchell is a software enthusiast and entrepreneur. His first startup built algorithms for optimizing cryptocurrency mining. Prior to CryptoSlate, Mitchell was a project manager at a firm that built distributed software on Hyperledger. In his spare time he loves playing chess and hiking.

View author profile

Commitment to Transparency: The author of this article is invested and/or has an interest in one or more assets discussed in this post. CryptoSlate does not endorse any project or asset that may be mentioned or linked to in this article. Please take that into consideration when evaluating the content within this article.

Disclaimer: Our writers' opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.