Qihoo 360, China’s largest internet security company, recently published an announcement that the upcoming EOS mainnet launch scheduled for June 2, 2018, could potentially be delayed due to a series of high-risk security vulnerabilities that could cripple the entire EOS network.
Update: Chinese media outlet Jinse reports that the security flaw identified by the 360 team was isolated and resolved by the EOS development team at 2 PM on the 29th.
The May 29th announcement states that the 360 team identified a flaw within the EOS code that would make it possible for nodes within the EOS network to be remotely compromised:
“Recently, the 360 Vulcan team discovered a series of high-risk security vulnerabilities in blockchain platform EOS. It has been verified that some of these vulnerabilities can remotely execute arbitrary code on the EOS node. That is, remote attacks can directly control and take over all nodes running on EOS.”
Qihoo 360 States EOS Susceptible to “Supernode Attack”
The EOS development team is currently pushing toward the June 2nd launch of the EOS platform, with exchanges such as Binance, Bitfinex, and Kucoin all announcing support of the shift from an EOS ERC-20 token to the new EOS blockchain.
The launch, however, may be interrupted if the EOS development team is unable to correct the glitch identified by Qihoo 360 before the launch date. According to Qihoo 360, the EOS network makes it possible for malicious individuals to publish a smart contract containing code that could potentially create an attack vector.
1/ Chinese Internet security giant 360 has found "a series of epic vulnerabilities" in the #EOS platform. Some of the bugs allow arbitrary code to be executed remotely on EOS nodes and even taking full control of the nodes.
Source (in Chinese): https://t.co/pt6nj6EodP
— cnLedger [Not giving away ETH] (@cnLedger) May 29, 2018
Concerningly, the flaw identified by the Qihoo 360 team could be used to repackage a malicious contract into a new block, which would then cause all full nodes in the network to be controlled remotely. This eventuality, states the Qihoo 360 team, would be catastrophic to the EOS network:
“Since the system of the node is completely controlled, the attacker can “do whatever it wants”, such as stealing the key of the EOS super node, controlling the virtual currency transactions of the EOS network; and acquiring other financial and privacy data in the EOS network participating node system — such as a user’s key stored in the wallet, key user profiles, privacy data, and more.”
Such an incident, according to Qihoo 360, would make it possible for attackers to capture a node in the EOS network into a botnet.
EOS Mainnet Launch Could Be Delayed
The Qihoo 360 team notified EOS officials on the 29th, and are currently actively working with the EOS development team to ensure the issue is fixed before launch. There is a chance, however, that the launch may be postponed if a solution is not found before June 2nd:
“On the early morning of the 29th, 360 first reported the vulnerability to EOS officials and helped them repair the security risks. The person in charge of the EOS network said that the EOS network will not be officially launched until these issues are fixed.”
The alleged security flaw is apparently located within the smart contract virtual machine on the EOS platform, but the Qihoo 360 team has not yet published any documentation regarding the security issue.
Roshan Abraham, the Head of Technology at EOS block production candidate EOS Authority, states that while EOS Authority has not given any specific information regarding the security vulnerability, it’s unlikely that the EOS project has VM issues:
“The VM used in EOS is web assembly. Web assembly is actively developed by Google, Microsoft and other major companies. It is highly unlikely to have VM issues. It is most likely to be a specific issue with nodeos (the program that runs the block production on each block producer’s server)”
Collaboration between the EOS team and Qihoo 360 will likely benefit the EOS project, allowing EOS to leverage the experience and resources of the security giant in order to enhance the overall security of the EOS blockchain before the anticipated launch date.
Addendum: Information provided by Jinse demonstrates that the 360 team was able to confirm the exploit at 1 PM on May 28 and subsequently reported the security flaw to the EOS development team at 10 PM the same day. EOS requested that 360 not disclose the details of the vulnerability and subsequently repaired the security issue by 2 PM on the 29th.
Cover Photo by Markus Spiske on Unsplash