Home News Korean University Team Introduce Four EOSio Attack Vectors, One Confirmed Fatal

Korean University Team Introduce Four EOSio Attack Vectors, One Confirmed Fatal

TL;DR: Professor Yongdae Kim of the Korea Advanced Institute of Science and Technology (KAIST) university in Seoul led a team of four students to research “fundamental problems stemming from the EOSio design,” the operating system for the EOS cryptocurrency. In a paper to be given 13 August 2019 at the USENIX symposium, his team will report having introduced “four attacks whose root causes stem from the unique characteristics of EOS.IO […] one of which is confirmed to be fatal.” 

Research Team Introduces Four EOSio Attack Vectors, One Confirmed Fatal

Who Spent My EOS? On the (In)Security of Resource Management of EOSio is 11 pages of research to be combed-over at the 28th USENIX Security Symposium in Santa Clara, CA as part of its Workshop on Offensive Technologies (WOOT ’19). Professor Kim, who teaches electrical engineering, explained to CoinSpice, “There are a lot of research papers on Ethereum and Bitcoin. But, not for EOSio. EOS has a lot of users and a large amount of money involved. But, it gets no attention from either academia or the security community. So we decided to look at EOS.”


Kim described the four research students as coming from a “software security background,” with authors Sangsup Lee and Daejun Kim being the primary researchers who “came up with the EOSio attacks.” Their block delay attack, SCP CPU-drain attack, SCP RAM-drain attack, and a RAMsomware attack are all detailed in the paper, along with mitigations, preventions, and redesign proposals.

The attacks’ “root causes stem from the unique characteristics of EOS.IO,” the KAIST team notes, “including intentionally slowing down the block creation time—which can disrupt the essential functions of its blockchain and incapacitate the entire EOS.IO system. In addition, we find that an adversary can partially freeze the execution of a target smart contract or maliciously consume all the resources of a target user with crafted requests.”

Delay All Transactions, Exploit Resource Management, Disrupt Smart Contracts

The team reported to the EOSio Foundation all of the threats they found, one of which was confirmed to be “fatal.” CoinSpice asked Professor Kim about the EOSio foundation reaction to the news, and he insisted they “patched it 5 days after we reported it. We received a Bug Bounty of $10,000.”


They describe the block delay attack as “a novel attack that exploits a transaction scheduling policy of the EOS.IO system. This attack is able to delay all transactions in
the system, thus resulting in the DoS.” Their two new attack methods, SCP CPU-drain
and SCP RAM-drain, “exploit resource management policies unique to the system, thus
disrupting services from a target smart contract provider.” The RAMsomware attack scenario “abuses controversial design decisions of the system. The attack allows locking EOS-RAM resources of a target user which enables an attacker to ask a ransom in exchange for releasing the locked EOS-RAM resources,” the KAIST team claimed.

CoinSpice asked about research funding, and Kim confirmed the paper’s acknowledgment of receiving from the South Korea government an “Institute for Information & communications Technology Promotion” grant. “The funding is for blockchain security,” Kim stressed, “is important as the government is interested in using blockchain.” He also revealed his students aren’t necessarily “in” to cryptocurrency and, as far as he knows, do not invest or use it in their personal lives.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH. 

EOSioCONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.