Chinese researchers warn blockchain company EOS about ‘epic’ vulnerability in soon-to-launch platform

The vulnerability reportedly could have compromised the whole EOS blockchain framework.
Ethereum logo / CC2.0

The developers of one of the top-traded cryptocurrencies, EOS, say they’ve patched a critical vulnerability that reportedly could have compromised EOS’s entire forthcoming platform.

Chinese security company Qihoo 360 said in a Tuesday blog post that its researchers discovered an “epic” vulnerability in the EOS platform that could allow someone to manipulate all transactions.

In a technical write-up, security researchers with Qihoo 360 explained that a hacker would have been able to upload a smart contract with malicious code onto the EOS mainnet and take over a node. Smart contracts are a feature of blockchain and cryptocurrencies that allow for transactions without middlemen.

Once the malicious code takes control of a relevant server, an “attacker could then pack the malicious contract into new block (sic) and further control all nodes of the EOS network.”


Qihoo 360 warns that because of the distributed nature of blockchain technology, compromising one node can put the whole system at risk. In the vulnerability Qihoo 360 reported, attackers could steal private keys to cryptowallets, control transactions, view private data and hijack EOS nodes to cryptopmine or conduct a denial of service attack.

“Due to the decentralized computing architecture, a security hole in a single blockchain node can compromise the whole network,” the researchers wrote.

While EOS hasn’t actually launched its mainnet yet, it’s already been distributing tokens on the Ethereum blockchain for sale and trade. The EOS mainnet is scheduled for launch on June 1.

Daniel Larimer, EOS’s chief technology officer, reportedly told Qihoo 360 that the mainnet would not launch until the vulnerability was fixed. CoinDesk reports that it’s already been taken care of.

Lattimer appeared to downplay the severity of the flaw discovered by Qihoo in a series of messages posted Tuesday to Twitter.


In addition, Larimer tweeted out a bug bounty on Monday, offering $10,000 for information about any other unique software flaws that “cause a crash, privilege escalation, or non-deterministic behavior in smart contracts” before the EOS platform launches.

According to cyberthreat intelligence firm GreyNoise, as of Tuesday midday, hackers had already begun to scan the internet, looking for accidentally exposed EOS blockchain nodes. It appears that the scanning started shortly after Qihoo 360’s research was first publicly published, but the two events are likely unrelated, according to BleepingComputer.

Latest Podcasts