This article was published on August 27, 2018

PSA: Major EOS bug makes it possible to steal valuable resources directly from users

RAM can be siphoned from users and dApps alike


PSA: Major EOS bug makes it possible to steal valuable resources directly from users

Here we go again with more EOS troubles: the popular cryptocurrency purportedly suffers from a major vulnerability that makes it possible to steal valuable network resources directly from user accounts – without any authorization.

The good thing is that a team of EOS developers is already rushing to plug the security flaw. The bug allows attackers to insert code to trick the network into incorrectly distributing RAM when transactions take place.

The EOSEssentials team describes the attack:

A malicious user can install code on their account which will allow them to insert [table “” not found /]
rows in the name of another account sending them tokens. This lets them steal RAM by inserting large amounts of garbage into [table “” not found /]
rows when dApps/users send them tokens.

An ad-hoc solution has been provided. To protect themselves from having RAM effectively stolen from them by interacting with dodgy accounts, users must use a proxy. In this context, a “proxy” is an account with no RAM to steal – so it’s not really a sustainable fix, but rather a band-aid solution.

By sending tokens to a proxy account with no available RAM, and with a memo where the first word of the memo is the account you eventually want to send the tokens to, the only account they can assume database row permissions for is the proxy, which has no RAM.

The EOS ecosystem sees RAM as a finite resource to be distributed among programmers. If it helps, think of it as storage space – the bigger the dApp, the more RAM is required to run it smoothly.

One developer working on the fix is César Rodriguez, who clarified that the “stolen” RAM is effectively stuck, or blocked. While the exploit does allow for RAM to be taken from its rightful owner, it cannot be traded or sold for profit. It can’t be given back, either. In his initial bug report, he noted:

Not a single dApp should have the right to take resources of an user and not allow a mechanism to revert it. In the long term this will lead into thousands of accounts storing garbage in RAM, RAM that could be useful for apps that have a real utility.

There may be some shitcoins that the value of the RAM stored is higher than value of the token.

It is important to clarify that in order to be affected by this bug, you must interact with an EOS account loaded with the malicious contract.

“Every account (wallet) can have code, so every transaction could block your RAM,” Rodriguez told Hard Fork. “Just to make it clear, you need to [send] the transaction to the malicious account. It’s not that someone can block your account [by] sending something to you.”

Rodriguez did note that the bug was only discovered after an EOS betting dApp was forced offline. As it was interacting directly with an EOS account loaded with the bad code (paying out winnings), its RAM was slowly being siphoned.

The most concerning part is that the current fix is quite complicated for the uninitiated. For now, users will need to be comfortable with editing code themselves in order to remain safe, at least until an official fix has been implemented.

In any case, things are not looking great for EOS. This mishap marks the latest in a string of security flaws recently discovered in the popular cryptocurrency, which has already paid out close to half a million dollars bug bounties in 2018.

Proposed solutions can be found through the EOSEssentials GitHub. Good luck.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with