- A hacker has stolen at least 30,000 EOS via a gambling dApp on the EOS network.
- As a result of the exploit, the EOS network was overloaded.
- The cause of the hack is not a vulnerability in the network, but merely a mistake in the Smart Contract of the gambling dApp.
As reported yesterday via Twitter, the EOS network, especially the game of chance dApp EOSPlay, has become the target of a hacker attack. In this context, the attackers have captured at least 30,000 EOS. The exploit allowed the attacker to win every game on EOSPlay by “paying” to fill blocks with his transactions while the EOS network was heavily overloaded.
It is important to know that the bug is not a bug in the EOS software. Rather, the cause lies with the developers of EOSPlay. The attack has been stopped for the time being and the network is back in normal operation.
Nevertheless, EOSPlay should be avoided until the exploit is fixed. Until there is a fork or a patch, the exploit can still be abused if an attacker can once again stake enough EOS network resources and EOS. But EOS owners don’t have to worry. Your EOS are not at risk.
Attack stopped, network is back in a normal mode. >30K EOS stolen because of the vulnerability of DApp design. Not $EOS flaw. Just a smart-contract that was hacked.
To smart-contract devs:
1. Follow best security practices.
2. Do not rely on on-chain source of entropy in EOS.
— Dexaran (@Dexaran) September 14, 2019
And that’s how the theft worked
The attackers rented a considerable amount of CPU and network resources from EOS via the resource exchange EOSRex. With the leased resources and an estimated 900,000 EOS cycles, the attacker was able to manipulate the game of chance dApp to win every game.
By staking the CPU and network resources for himself and the attacked smart contract, the attacker was able to put so much strain on the EOS network that the EOSIO network ‘froze’ and only processed the hacker’s transactions while sending thousands of EOS to his own wallet address. The overload meant that only the hacker and the attacked app had sufficient network resources.
This not only prevented other users of the EOS network from sending their transactions quickly, but also prevented the EOSPlay developers from stopping the attack as soon as it was detected.
The Twitter user ‘retkit’ also provided a good summary of the incident:
The EOS price is unimpressed and has since risen 9% in the last 24 hours to USD 4.09.