Security researchers have uncovered several security vulnerabilities in blockchain platform EOS, some of which can be exploited by hackers to remotely execute arbitrary code on EOS nodes and thereby manipulate the entire EOS blockchain system!
EOS presently ranks fifth in cryptocurrency valuation globally and is considered as the third generation of BlockChain platform. The advantage of EOS over traditional blockchain platforms such as Bitcoin is that while Bitcoin manages around 3-4 transactions per second, EOS can perform millions of transactions per second thanks to the use of a distributed proof-of-stake consensus mechanism.
Researchers at 360 Security Center recently observed that the EOS blockchain system contained several vulnerabilities that could be exploited not only to run arbitrary code on EOS nodes remotely, but also to directly manipulate the whole blockchain system. To make this possible, all a hacker needed to do was to release smart contract containing malicious code which would, in turn, be executed by the EOS block producer.
Once a malicious smart contract is executed, a hacker can steal the private key of EOS block producer, control a transaction, and access the financial and privacy data of any nodes in EOS network. Such data may include digital currencies, user private keys in wallet, critical user information, and privacy information.
"Due to the decentralised computing architecture, a security hole in a single blockchain node can compromise the whole network. DoS(Denial of Service) attack that is considered with least impact in software industry can be huge in the blockchain ecosystem since everything in the system is connected and self-replicating," the researchers noted.
They added that since the cryptocurrency itself forms a complete financial ecosystem, any flaws within cryptocurrency or blockchain network can cause more severe and significant impacts to online users. They also defined vulnerabilities discovered in the EOS blockchain system as "unprecedented" and that such flaws were never exposed in blockchain systems in the past.
The said vulnerabilities were fixed by EOS after being reported by researchers at 360 Security Center and the company affirmed that the platform will go online only after the issues are fixed.
This isn't the first time that vulnerabilities or bugs have been found in blockchain systems used by millions across the world. In July last year, a bug in a type of multi-signature wallet named wallet.sol allowed hackers to take over wallets and drain them of funds. In all, hackers camped away with an estimated £23 million in Etherium coins after attacking commerce platforms like Swarm City, Edgeless Casino and the æternity blockchain.
However, for a majority of businesses in the UK and beyond, blockchain continues to be seen as the "silver bullet" that will solve all problems and eradicate losses to cyber attacks. Commenting on this perception, Joseph Carson, chief security scientist at Thycotic, told SC Magazine UK that the real problem is that the focus is too much on the technology rather than the business problem being solved and what unique value blockchain provides.
"Most solutions are using blockchain as a marketing scam to get attention in a very noisy space. The biggest challenge is enterprises' experience and knowledge of Blockchain is coming from Cryptocurrencies, they should go back to the basics on why blockchain is used and start to first understand the Merkle Tree before considering whether or not blockchain will provide any additional value.
"Another major issue is that most Blockchain solutions are making the same mistakes with poor implementations with some including raw data or personal information in the blockchain, poor root of trust, massive scalability challenges due to only two levels of concatenation and focus on technology.
"The ultimate failure in this particular case is failing to secure the most important aspect of the blockchain and that being the infrastructure and the nodes that it runs under, once it is compromised an attacker can simply introduce manipulated data which disrupts the overall trust," he said.
When asked what steps should enterprises take to ensure that blockchain solutions are completely secure and cannot be compromised via arbitrary code execution, Carson added that enterprises should first understand the model that Estonia has utilised using blockchain to help provide non-repudiation and data integrity of their digital society.
"Once a node is compromised, it should not be permitted to contribute or participate losing its trust on the network and all other nodes should continuously validate each other. Enterprises should ensure they are first educated on the basics of blockchain before going down the path on choosing and deploying a blockchain solution," he said.