Any cryptocurrency network and its underpinning code are subject to malicious intervention. This is especially true when it comes to smart contracts. Numerous projects offer this functionality, which exposes all of them to potential hacks and theft. For one EOS-based gambling dApp, a recent exploit cost them over 30,000 EOS in the process. It is not unlikely such an attack will be repeated in the future.
A bad day for EOSPlay
Most people are well aware how EOS is primarily used to build gambling dApps. That is a rather logical development, as the cryptocurrency community often flocks to gambling services, for some unknown reason. As of right now, the top EOS dApps mainly provide gambling services, which attracts a lot of users. Among those users, not everyone has legitimate intentions either.
For the EOSPlay team, a very problematic scenario has arisen. Not only has its smart contract code been exploited by a hacker, but they also lost over 30,000 EOS in the process. It appears the hacker was able to manipulate the smart contract in such a manner all of the bets placed would result in a profit. How or why something like that is possible in 2019, raises plenty of questions, for obvious reasons.
How was it Exploited?
The EOS ecosystem is quite intriguing in its own regard. Many different services and technologies are at play at any given moment. Not too long ago, users received the ability to rent and lease CPU and NET through the REX resource exchange. Although this is a welcome addition to the ecosystem, it was seemingly a matter of time until someone would use for nefarious purposes. That day has now come, and the consequences should not be ignored.
What attacker did:
1. Rented a huge amount of CPU and NET at #EOSREX resource exchange.
2. Staked CPU&NET for (1) himself and (2) attacked contract.
3. Congested the network.
4. Initiated some transactions to the attacked contract. Won a lot of $EOS in gambling DApps.
— Dexaran (@Dexaran) September 14, 2019
The attacker staked CPU and NET for his own purposes, and attacked the EOSPlay smart contract. This allowed him to negate other users’ transactions, up to a certain degree. After a while, the EOS network becomes slightly congested, which let the attack initiate certain contracts to the gambling dApp in question. The winning conditions were manipulated, and over 30,000 changed hands in very quick succession. Even the developers could not halt this attack while it was in progress due to congestion.
An Inherent Flaw?
Issues like these only highlight the core weaknesses of the different cryptocurrency ecosystems. It is not an issue native to EOS, although the method through which it was exploited certainly is. Smart contract-oriented attacks have been in place on Ethereum for some time as well. In most cases, hackers successfully claim some funds in the process, which will only encourage more criminals to try their hand at this method in the future.
The bigger question is how the EOS community will respond to this new turn of events. The credibility of the project is far from an all-time high, primarily due to the high degree of perceived centralization. Additionally, the public figure of EOS – Dan Larimar – has made some remarks regarding Bitcoin and Ethereum which weren’t appreciated. Plenty of users wish ill-will upon EOS because of its public face being a persona non grata in the crypto world. A very troublesome situation indeed, albeit one that needs to be rectified as soon as possible.