The developers of one of the top-traded cryptocurrencies, EOS, say they’ve patched a vulnerability that reportedly could have compromised EOS’s entire forthcoming platform.
Chinese security company Qihoo 360 said in a Tuesday blog post that its researchers discovered an “epic” vulnerability in the EOS platform that could allow someone to manipulate all transactions, among other things.
In a technical write-up, security researchers with Qihoo 360 explained that a hacker would have been able to upload a smart contract with malicious code onto the EOS mainnet and take over a node. Smart contracts are a feature of blockchain and cryptocurrencies that allow for transactions without middlemen.
Once the malicious code takes control of a relevant server, an “attacker could then pack the malicious contract into new block (sic) and further control all nodes of the EOS network.”
Qihoo 360 warns that because of the distributed nature of blockchain technology, compromising one node can put the whole system at risk. In the vulnerability Qihoo 360 reported, attackers could steal private keys to cryptowallets, control transactions, view private data and hijack EOS nodes to cryptopmine or conduct a denial of service attack.
“Due to the decentralized computing architecture, a security hole in a single blockchain node can compromise the whole network,” the researchers wrote.
While EOS hasn’t actually launched its mainnet yet, it’s already been distributing tokens on the ethereum blockchain for sale and trade. The EOS mainnet is scheduled for launch on June 1.
In addition, Larimer tweeted out a bug bounty on Thursday, offering $10,000 for information about any unique software flaws that can be used to “cause a crash, privilege escalation, or non-deterministic behavior in smart contracts” before the EOS platform launches.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.— Daniel Larimer (@bytemaster7) May 28, 2018