These vulnerabilities allow attackers to gain remote control over any EOS node, construct and publish malicious smart contracts, or become a ‘free miner’ and dig up digital currencies based on the EOS platform.
Since the attacker can gain complete control over an EOS node, they can literally do whatever they want. This includes stealing the key of the EOS super node, controlling the transactions of cryptocurrencies on the EOS network, or acquiring financial and privacy data about the users including their wallet private keys.
EOS was gearing up for the launch of its main network — commonly referred to as Mainnet — which was slated to happen on June 2, 2018. But, the launch might be postponed in light of this discovery.
As per the official statement from Qihoo 360, they have made the person in charge of EOS network aware of the vulnerabilities, who has promised to hold off the Mainnet launch until the bugs are fixed.
Qihoo 360 has stated that the security risks with the EOS network are unprecedented, and the entire blockchain industry and security experts need to pay extra attention towards enhancing the security of blockchain networks.
We have reached out to EOS for a comment. If they respond, we will update the story accordingly.
Update [May 30, 2018 — 8:55 AM GMT] EOS has stated that it’s working to resolve the vulnerabilities, and the Mainnet launch will take place on schedule.
Media has incorrectly reported a potential delay in the release of EOSIO V1 due to software vulnerabilities. Our team has already fixed most and is hard at work with the remaining ones. EOSIO V1 is on schedule; please stay tuned to our EOSIO channels for official information.
— EOS (@EOS_io) May 30, 2018
Published May 29, 2018 — 09:31 UTC