Qihoo 360, China’s largest internet security company, recently published an announcement that the upcoming EOS mainnet launch scheduled for June 2, could be delayed because of a series of high-risk security vulnerabilities that could cripple the entire EOS network.
The announcement on May 29 states that the 360 team identified a flaw within the EOS code that would make it possible for nodes within the EOS network to be remotely compromised:
«Recently, the 360 Vulcan team discovered a series of high-risk security vulnerabilities in blockchain platform EOS. It has been verified that some of these vulnerabilities can remotely execute arbitrary code on the EOS node. That is, remote attacks can directly control and take over all nodes running on EOS».
Currently the EOS development team is pushing toward the June 2nd launch of the EOS platform, with exchanges such as Binance, Bitfinex, and Kucoin all announcing support of the shift from an EOS ERC-20 token to the new EOS blockchain.
But the launch may be interrupted if the EOS development team is unable to correct the glitch identified by Qihoo 360 before the launch date.Qihoo 360 says that the EOS network makes it possible for malicious individuals to publish a smart contract containing code that could potentially create an attack vector.
The flaw identified by the Qihoo 360 team could be used to repackage a malicious contract into a new block, which would then cause all full nodes in the network to be controlled remotely.
«Since the system of the node is completely controlled, the attacker can «do whatever it wants», such as stealing the key of the EOS super node, controlling the virtual currency transactions of the EOS network; and acquiring other financial and privacy data in the EOS network participating node system – such as a user’s key stored in the wallet, key user profiles, privacy data, and more», – says the Qihoo 360 team.
According to Qihoo 360, such an incident would make it possible for attackers to capture a node in the EOS network into a botnet.
The Qihoo 360 team reported the vulnerability to EOS officials on May 29, and are currently actively working with the EOS development team to ensure the issue is fixed before launch.
The person in charge of the EOS network said that the EOS network will not be officially launched until these issues are fixed.
The security flaw is apparently located within the smart contract virtual machine on the EOS platform, but the Qihoo 360 team has not yet published any documentation regarding the security issue.
Roshan Abraham, the Head of Technology at EOS block production candidate EOS Authority, states that while EOS Authority has not given any specific information regarding the security vulnerability, it’s unlikely that the EOS project has VM issues:
«The VM used in EOS is web assembly. Web assembly is actively developed by Google, Microsoft and other major companies. It is highly unlikely to have VM issues. It is most likely to be a specific issue with nodeos (the program that runs the block production on each block producer’s server)».
Collaboration between the EOS team and Qihoo 360 will likely benefit the EOS project, allowing EOS to leverage the experience and resources ofQihoo 360 in order to enhance the overall security of the EOS blockchain before the anticipated launch date.
According to Chinese media outlet Jinse, the security flaw identified by the 360 team was isolated and resolved by the EOS development team at 2 PM on the 29th. This information demonstrates that the 360 team was able to confirm the exploit at 1 PM on May 28 and subsequently reported the security flaw to the EOS development team at 10 PM the same day. EOS requested that 360 not disclose the details of the vulnerability and subsequently repaired the security issue by 2 PM on the 29th.