Thanks to a shocking security vulnerability, hackers have flooded a “decentralized” token exchange platform with 1 billion fake EOS. By the end of the heist, the thieves were able to steal almost $58,000 in cryptocurrency directly from users.
The hackers created a new EOS-based token, ironically named “EOS,” and used it to illegitimately purchase BLACK, IQ, and ADD tokens from exchange service Newdex. The company has since confirmed the hack.
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens,” Newdex wrote in a statement. “After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”
The thieves eventually traded the collection of tokens for real EOS cryptocurrency. Newdex later revealed the attackers managed to siphon 4,028 real EOS (approximately $20,000) to cryptocurrency exchange desk Bitfinex. Ultimately, it’s the Newdex dApp users left to suffer losses, which amount to roughly $58,000.
While the team has apologized for incident, it has not yet made plans to compensate affected users.
The vulnerability appears to stem from two things: first, anyone can create a token using EOS, and they can name it anything they want – apparently, even “EOS.” All you need is an EOS account.
Second, Newdex doesn’t use smart contracts. Yep, that’s right. Because there’s no smart contract, there was nothing to confirm the authenticity of the cryptocurrency being pumped into it.
All this is because its developers appear to be leveraging the hype surrounding decentralized exchanges (DEX), by dressing itself up as one. In reality, it’s just a single user account handling trades under the guise of being an asset exchange – pretty centralized, if you ask me.
The community actually proved this just days before the attack:
[…] They deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it.
This was later corroborated by Hard Fork. As it stands, the “newdexpocket” EOS account – the operational Newdex dApp wallet – has no smart contract code programmed into it. Without a smart contract, users of Newdex are simply sending funds to a personal EOS account with the hope that trades will be conducted properly.
What’s worse, it appears that it is using the exact same key for both its owner and active permissions. This creates a single attack vector that is easily exploitable. For reference, most exchanges at least use multi-sig wallets.
It seems in this instance, the keys weren’t the target – just the gaping security holes left by token exchange developers too negligent to even program a smart contract to protect users.
Welcome to the “decentralized” internet of 2018.