Guido Vranken, the security researcher who won $120,000 in EOS bug bounty program earlier, has discovered another vulnerability in EOS. But more worryingly, it appears he is not the only one to have found new kinks in the network.
— Guido Vranken (@GuidoVranken) June 13, 2018
Vranken says the new flaw he discovered has to do with “unbounded recursion in Binaryen WASM parsing.”
For those unfamiliar, unbounded recursion occurs when a function that calls itself from within enters an endless loop – until the computer runs out of resources and dies. This means that if anyone attempts to compile to web assembly (WASM) using the Binaryen compiler, their computer could go kaput.
The HackerOne profile of Block.one shows that Vranken has already been paid $100,000 for 10 different vulnerabilities.
Vranken is not sure if there are still other bugs left with EOS. But, it definitely appears that other researchers are still receiving bounties for discovering bugs — the latest was just 17 hours ago from the time of writing.
Chinese security firm Qihoo 360 discovered a series of vulnerabilities in EOS in May. The glitches could allow hackers to remotely access the network’s nodes, compromising the entire EOS blockchain.
The bug bounty program was launched in the aftermath of the discoveries, and the blockchain which was slated to launch on June 2 saw a significant delay.
It is also worth noting that the EOS blockchain is also currently stuck in a middle ground between launched and live. The blockchain finally launched on June 10 after getting a unanimous ‘go’ vote from the block producer candidates, but only technically.
The EOS cryptocurrency will remain locked up until the 21 block producer candidates are elected. As Coindesk points out, at least 15 percent of all EOS supply needs to be staked for block producer candidates to be elected. Days after the launch, the voting still hasn’t passed the 10-percent mark.
Staking the coins will require the investors to use their private key, which they feel could potentially risk their investment. Wrong exposure of private keys could mean they lose all their funds.
Clearly, the EOS mainnet nightmare refuses to die down.
Vranken didn’t respond to a request for comments immediately. If he responds, we will update the story.
Published June 14, 2018 — 11:25 UTC