SlowMist, a Chinese cybersecurity firm, claims to have discovered a security vulnerability that allows users to register EOS deposits without actually transferring funds.
OKEX Crypto Exchanger confirmed the vulnerability.
EOS, one of the world's largest platforms for building and deploying decentralized applications (dApps), may be vulnerable to attack - according to Chinese cybersecurity firm SlowMist Technology Co. Ltd.
The SlowMist mid-level message, referred to as “false replenishment,” states that a vulnerability could be exploited by an attacker, as they “can successfully deploy EOS on these platforms without transferring any tokens.” The platforms that may be affected by the EOS vulnerability use digital asset sharing, wallets and other cryptocurrency services, SlowMist said.
Fake Replenishment Vulnerability Similar to Ethereum's Fake Replenishment
The online security firm also stated in its blog that a real attack has already occurred. However, SlowMist does not yet disclose any details regarding the attack, except that it notes that it is somewhat similar to a false replenishment attack on the USDT and Ethereum accounts. As described in the SlowMist blog:
“The platform should be responsible for this [false account replenishment vulnerability]. Since this is a new type of attack, and the attack is already underway, if other platforms are not completely confident in their own verification of the deposit process, they should immediately suspend the EOS deposit and recheck the process. The specific details of the attack will be revealed by the SlowMist Security Team. ”
OKEx confirms the vulnerability.
In response to the security threat from SlowMist, a crypto-exchange headquartered in Hong Kong, OKEx confirmed (via Twitter) that it “knows about the vulnerability through EOS deposits”. But OKEx management also confirmed that the company's trading platform is “not vulnerable.”
Last month, the EOS Telegram group of the EOS community reported that 2.09 million EOS tokens (over $ 7 million) were transferred to the blacklisted EOS holder. Several media outlets called this incident a “burglary,” but a detailed investigation conducted by BreakerMag revealed that an interim decision of the EOS arbitration panel on blocking malicious accounts was reportedly broken.
400,000 EOS tokens reportedly stolen from hacked accounts
In December 2018, PeckShield, a cybersecurity research firm, published a report stating that only 120,000 of the approximately 500,000 EOS accounts are currently active. Research team PeckShield also reported that since its inception, more than 200,000 (about 37%) EOS accounts have been inactive.
It is noteworthy that PeckShield researchers found that 27 EOS-based dApps have serious vulnerabilities, but these security issues were not directly related to problems with the EOS block chain itself. Because of these security vulnerabilities, more than 400,000 EOS tokens were stolen (worth about $ 700,000 at the time the security system was hacked).