Thanks to a stunning safety vulnerability, hackers have flooded a “decentralized” token exchange platform with 1 billion fake EOS EOS. By the end of the heist, the thieves were able to steal almost $58,000 in cryptocurrency directly from users.
The hackers created a new EOS-based token, ironically named “EOS,” and used it to illegitimately purchase BLACK, IQ, and ADD tokens from exchange service Newdex. The company has since confirmed the hack.
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens,” Newdex wrote in a statement. “After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”
The thieves eventually traded the collection of tokens for real EOS cryptocurrency. Newdex later revealed the attackers managed to siphon 4,028 real EOS (approximately $20,000) to cryptocurrency exchange desk Bitfinex. Ultimately, it’s the Newdex dApp users left to suffer losses, which amount to roughly $58,000.
While the team has apologized for incident, it has not yet made plans to compensate affected users.
The vulnerability appears to stem from two things: first, anyone can create a token using EOS, and they can name it anything they want – apparently, even “EOS.” All you need is an EOS account.
Second, Newdex doesn’t use smart contracts. Yep, that’s right. Because there’s no smart contract, there was nothing to confirm the authenticity of the cryptocurrency being pumped into it.
All this is because its developers appear to be leveraging the hype surrounding decentralized exchanges (DEX), by dressing itself up as one. In actuality, it’s only a single person account dealing with trades below the guise of being an asset exchange – fairly centralized, in case you ask me.
The neighborhood truly proved this simply days earlier than the assault:
[…] They deceptively current Scatter because the login and buying and selling interface, so you’re feeling such as you’re utilizing a DEX. In actuality you aren’t sending funds to any good contract, it’s only a common EOS account they personal ‘newdexpocket’, that doesn’t actually have a good contract working on it.
This was later corroborated by Hard Fork. As it stands, the “newdexpocket” EOS account – the operational Newdex dApp pockets – has no good contract code programmed into it. Without a wise contract, customers of Newdex are merely sending funds to a private EOS account with the hope that trades might be performed correctly.
What’s worse, it seems that it’s utilizing the very same key for each its proprietor and energetic permissions. This creates a single assault vector that’s simply exploitable. For reference, most exchanges at the very least use multi-sig wallets.
It appears on this occasion, the keys weren’t the goal – simply the gaping safety holes left by token exchange builders too negligent to even program a wise contract to defend customers.
Welcome to the “decentralized” web of 2018.
Published September 18, 2018 — 09:53 UTC