• 525 days Will The ECB Continue To Hike Rates?
  • 525 days Forbes: Aramco Remains Largest Company In The Middle East
  • 527 days Caltech Scientists Succesfully Beam Back Solar Power From Space
  • 927 days Could Crypto Overtake Traditional Investment?
  • 931 days Americans Still Quitting Jobs At Record Pace
  • 933 days FinTech Startups Tapping VC Money for ‘Immigrant Banking’
  • 936 days Is The Dollar Too Strong?
  • 937 days Big Tech Disappoints Investors on Earnings Calls
  • 938 days Fear And Celebration On Twitter as Musk Takes The Reins
  • 939 days China Is Quietly Trying To Distance Itself From Russia
  • 940 days Tech and Internet Giants’ Earnings In Focus After Netflix’s Stinker
  • 944 days Crypto Investors Won Big In 2021
  • 944 days The ‘Metaverse’ Economy Could be Worth $13 Trillion By 2030
  • 945 days Food Prices Are Skyrocketing As Putin’s War Persists
  • 947 days Pentagon Resignations Illustrate Our ‘Commercial’ Defense Dilemma
  • 947 days US Banks Shrug off Nearly $15 Billion In Russian Write-Offs
  • 951 days Cannabis Stocks in Holding Pattern Despite Positive Momentum
  • 951 days Is Musk A Bastion Of Free Speech Or Will His Absolutist Stance Backfire?
  • 952 days Two ETFs That Could Hedge Against Extreme Market Volatility
  • 954 days Are NFTs About To Take Over Gaming?
SEC Crackdown On ICOs Leads To New Lawsuits

SEC Crackdown On ICOs Leads To New Lawsuits

Crypto-related lawsuits are on the…

Cryptocurrency Markets Have Gone Amok, Again

Cryptocurrency Markets Have Gone Amok, Again

Seasoned cryptocurrency traders are, perhaps,…

Has The Dogecoin Hype Fizzled?

Has The Dogecoin Hype Fizzled?

Dogecoin crashed nearly 40%, trading…

  1. Home
  2. Cryptocurrencies
  3. Alt-Coins

Hacks, Bugs And Exploits: Growing Pains For The $4 Billion Blockchain

Coding

It has been just over four months since the EOSIO blockchain officially launched, and while it is still young compared to Ethereum or Bitcoin, it has struggled to overcome its controversial roll out. The platform, though named the number one blockchain by the Chinese government, is still fighting RAM costs, bugs, exploits and, of course, centralization fears.

RAM Costs

One of the biggest headaches for dApp developers has been the out of control cost of RAM.

Immediately after EOSIO’s mainnet launch, speculators jumped on RAM looking to turn a profit. Just two weeks after the platform’s launch, RAM utilization rose to 50 percent of the total supply, causing prices to soar as high as 0.94 EOS per KB. And though block producers jumped on top of the issue quickly, doubling the total supply of the limited resource, problems persisted.

In July, Dan Larimer released a “Three Step Plan” for lowering onboarding costs. The post noted that the platform would increase RAM supply, lower account memory usage and provide free accounts usable by any dApp that is compatible with Block.one’s wallet API. And on September 6th, block producers jumped on board, adding a 1400 bytes to all new accounts and reducing the recommended minimum amount of RAM one should purchase  by 25 percent.

Block producer New York EOS explained, “EOS account creation cost is an extremely important aspect of the health of the platform. Many users of EOS decentralized applications (dApps) are early adopters, people who are eager and willing to spend the time to understand the EOS blockchain. But in the future, users will not be as eager. The users of the future will want to use the new dApp they found as quickly as possible. In fact, they may not know they’re about to interact with a blockchain at all.

For that to happen, dApp developers will need to pay for the network resources required to onboard users (or pass this cost on to users). Reducing this cost by 25% dramatically reduces the barriers to development when considering account creation at scale.”

With the new tweaks, RAM costs have fallen significantly from the previous highs. But costs aren’t the only problem with the resource.

Bad actors stealing RAM

In late August, a new bug was revealed that allowed bad actors to steal RAM from unsuspecting users. 

EOSEssentials described the exploit, “A malicious user can install code on their account which will allow them to insert [table] rows in the name of another account sending them tokens. This lets them steal RAM by inserting large amounts of garbage into [table] rows when dApps/users send them tokens.”

Though, according to César Rodriguez, one of the developers working on the fix, the RAM cannot be used or sold, it cannot be retrieved, either.

Dan Larimer compared the exploit to vandalism but mentioned that it should not impact the platform in the long-term, ““[It] should do no long term damage to the parties involved once the EOS governance process can review and remedy the situation.” Related: Saudi Wealth Fund Pumps $1B Into Tesla Rival

Larimer was also quick to respond with a temporary solution, suggesting that users should remain diligent in reviewing their contracts they interact with. Additionally, Larimer suggested a temporary workaround, asking users to create proxy accounts with no RAM.

dApp Madness

From overly generous e-gambling payouts to botched airdrops, EOS dApps are having a tough month, as well.

On September 9th, an online gambling dApp, DEOSGames fell victim to an exploit allowing a user to cash out over $23,000 in winnings after hitting the jackpot 24 times in a row. The developers of the dApp were quick to confirm the exploit, stating “Yesterday, we got a malicious contract exploit our contract. It is a good stress test and we got significant improvements on contract level,” adding, “Remember we are still in beta.”

While that may be chump change in the world of crypto-heists, another betting platform reported a significantly larger disruption.

Not even a week later, EOSBETCASINO identified a flaw in their contract wherein a user was able to walk off with over $200,000 worth of tokens. The exploit allowed the user to not pay on losing bets but still cash out when they won.

EOSBETCASINO was quick to fix the exploit and release a statement on Reddit, ““On September 14th around 3:00 AM UTC, we experienced a hack and breach of our bankroll, resulting in a theft of 44,427.4302 EOS before our contracts were taken offline by the development team. The remaining 463,745 EOS in our EOSBETDICE11 and EOSBETCASINO contracts are safe, the vulnerability is patched, and we are back online. We want to be as transparent as possible in explaining this breach and addressing any concerns the community might have.”

In addition to the betting app missteps, another dApp highlighted perhaps a more worrying problem with the EOS platform.

Trybe, a blockchain-powered content creation platform, mistakenly gave airdrop recipients up to four times the amount they were supposed to receive. Following the botched giveaway, however, the developers unapologetically and without warning accessed users’ wallets to remove the excess tokens.

This brought into question EOS’ core smart contract protocol which allows all contracts to be edited after they are deployed.

Tom Nordwood, Trybe’s founder, released a statement on Reddit, “We are comfortable in our decision to reverse transactions in this instance rather than leaving huge amounts of tokens in a few people’s wallets… What we did, by the way, is not just a function of the TRYBE token but of any token built on EOS, and to be honest, I was VERY GLAD that it was...”

This is not a new occurrence, either. Since the EOSIO launch, accounts have been frozen and accessed illegitimately on several occasions.

Decentralized Exchange Highlights Another Vulnerability

Newdex, a relatively new exchange trying to ride the ‘DEX’ or decentralized exchange hype, was flooded with over 1 billion fake EOS tokens, ultimately leading to the theft of over $50,000 in real crypto.

The attack was primarily the fault of the exchange, which, for whatever reason, does not use smart contracts. This critical detail means that the exchange was unable to verify the legitimacy of the ‘EOS’ tokens used in the attack.

Related: Major Financial Institutions Are Planning Crypto Products

Reddit users even pointed out this vulnerability days before the attack, “Unlike a real DEX, they do not have a smart contract that holds funds / handles order matching on-chain. Instead, they match all orders off-chain in a centralized server. I received this response from their support confirming this is the case: https://i.imgur.com/bo2TJ1m.png

But it does also raise another important issue regarding the EOSIO platform itself.

Any user is able to create a token and name it anything they want. Though the community should reliance on their own due diligence and the due diligence of service providers, this design could potentially lead to more attacks of a similar nature.

What’s Next for EOSIO?

While the platform has had a tough time working out all of the bugs, it is important to remember that it is only a few months old. There are going to be hiccups in any launch of this scale. But it is clear that block producers have their hands full. How EOSIO’s governance reacts to these problems will be key moving forward.

From Bancor’s pivot to the platform to Dan Larimer’s ambitious UBI propositions, the platform itself is ripe with potential, and it is obvious that its creators are some of the best in the business.

EOSIO has a long way to go before it can be compared to Bitcoin or Ethereum, both of which have had their own growing pains, but in the meantime, there are some handsome rewards for anyone who wants to lend a hand in identifying and helping to fix bugs on the platform.

By Michael Kern via Crypto Insider

More Top Reads From Safehaven.com

Back to homepage

Leave a comment

Leave a comment