TL;DR: “Something is happening with CPU on #EOS right now,” an enthusiast based in Tokyo, Japan from the EOS community worried aloud on social media. “We’re under attack. Mayday.” Apparently, an attacker was able to drain tens of thousands EOS from its popular online gambling platform, EOSPlay. EOS co-founder Dan Larimer attempted damage control, issuing assurances and lessons.
EOS Community Shaken by Online Gambling Exploit
Co-founder Daniel Larimer assured, “#EOS is operating correctly. This is no different than when attackers flood eth or bitcoin with high fee transaction spam. The network didn’t freeze for token holders, there was just no extra bandwidth available for free use.”
Larimer was responding to contentions an attacker might have been able to use part of the EOS Authority, its Resource Exchange (REX) to exploit the decentralized application (dApp) for online gambling, EOSPlay … to the tune of 30,000 EOS tokens ($112,200 at press time) for only a fraction of the exploit’s cost.
“He’s doing something so he can win every roll on [EOSPLay],” an enthusiast gasped. “Dude is emptying EOSPlay right now,” theorizing how “someone rented a load of resources from REX and is using it to exploit a gambling dapp called EOSPlay. They seem to have walked away with about 30k EOS so far.”
EOSPlay Apologizes, Smart Contract Lesson, “Not EOS Flaw”
REX, also created by Larimer, has been around since summer of 2018, and it “allows token holders to Lease out their spare EOS tokens to Dapps or others that need resources in return for ‘rent’ and access to community funds like RAM fees and name auction fees,” according to its FAQs. Asked, “What are the risks of REX?” the answer comes matter-of-factly, “REX is a system contract and will be deployed on the account eosio.rex. There is no third party which means you don’t trust anyone. As an holder you convert your EOS into REX. When you sell REX you will get your EOS back or more. Never lesser than what you put in.”
EOSPlay offers dice rolls and slots, and even a lottery, most of it based on block hash monitoring. Regarding the exploit, the dApp’s Telegram posted on 13 September 2019, “We have noticed suspicious betting behavior and spikes of cpu usage over the all eos mainnet. The performance of the eos mainnet has been serverly impacted and we have to suspended our service until the eos mainnet comes back to normal.” EOSPlay’s Medium account is suspended, and “is under investigation or was found in violation of the Medium Rules.”
“Owning and staking #eos gives users a prorata share of available bandwidth,” Larimer explained. “When people don’t use their share it is redirected to others on a prorata basis. During heavy use users no longer receive this free benefit. Lesson learned here is don’t design contracts that depend upon extra bandwidth available during uncontested mode. The eosplay contract should have a low cpu action to pause execution available to contract maintainers.”
Smart-contract developer, security engineer, and investor Dexaran stressed the attacker acted in four parts: “1. Rented a huge amount of CPU and NET at #EOSREX resource exchange. 2. Staked CPU&NET for (1) himself and (2) attacked contract. 3. Congested the network. 4. Initiated some transactions to the attacked contract. Won a lot of $EOS in gambling DApps.” By 14 September 2019, however, Dexaran concluded, “Attack stopped, network is back in a normal mode. >30K EOS stolen because of the vulnerability of DApp design. Not $EOS flaw. Just a smart-contract that was hacked. To smart-contract devs: 1. Follow best security practices. 2. Do not rely on on-chain source of entropy in EOS.” Accountant CryptoTim posted an explainer video, detailing the attack, hoping to dispel what he characterized as FUD.
CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.
DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.
DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.