Ethical Hacker Exposes Vulnerabilities in EOS Code
In the week leading up to the launch of the EOS mainnet, an ethical hacker has confirmed eight vulnerabilities in the blockchain’s code.
As a participant of the EOSIO Bug Bounty Program run by Block One — the parent company of EOS — Guido Vranken will be compensated a minimum of $10,000 per confirmed discovery.
On May 28, the founder and lead architect of EOS, Daniel Larimer tweeted:
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018
Should Block One recognize all 12 bugs, this would equate a net payout of $120,000 for a week’s work, according to the hacker:
Thank you. A couple more waiting to be rewarded. I think the final tally was $120K but I lost count. Took me about a week.
— Guido Vranken (@GuidoVranken) June 4, 2018
Having previously discovered nine bugs, Vranken — who describes himself as an “Ethereum Foundation dedicated fuzz tester” — will earn more than $200,000 for his contributions to the program.
EOS: All Systems Go, or Cracks Appearing?
Vranken’s findings come just days after a Chinese cybersecurity firm discovered a “critical bug” in the EOS codebase. The report notes:
“The attacker can steal the private key of super nodes or control content of new blocks. What’s more, attackers can pack the malicious contract into a new block and publish it. As a result, all the full nodes in the entire network will be controlled by the attacker.”
After identifying and exploiting the “buffer out-of-bounds write vulnerability,” Beijing-based Qihoo 360 reported the issue to Dan Larimer — who quickly clarified the rumored delay of the mainnet launch:
Media has incorrectly reported a potential delay in the release of EOSIO V1 due to software vulnerabilities. Our team has already fixed most and is hard at work with the remaining ones. EOSIO V1 is on schedule; please stay tuned to our EOSIO channels for official information.
— EOS (@EOS_io) May 30, 2018
78 hours on at the time of press, the boot process has been initiated — the first of four stages in the launch. A public block producer appointed by EOS, EOS Nation describes the current state of play:
“Verify Snapshot & Boot: ERC-20 token Snapshot is verified by EOS Mainnet Launch Group (EMLG) and third parties. Appointed Block Producers within the EMLG initiate the Boot process.”
While Vranken’s compensation may appear generous, one must note that EOS — a $12.5 billion start-up — now stands in a pivotal position. As the 5th cryptocurrency by market cap with no working product, EOS may have a huge amount riding on the mainnet’s delivery as promised.