An attacker has made off with at least 30,000 EOS by exploiting gambling dApps on the network. By congesting the network with rented resources, the attacker was able to guarantee a winning outcome every time.
Anatomy Of A Crime
As pointed out by community members on Twitter, the attacker managed to steal over 30k EOS by manipulating winning conditions in gambling dApps.
They first rented a massive amount of CPU and NET at EOS’s REX resource exchange. By staking CPU and NET for themselves and the attacked contract, the attacker was able to price out most other user transactions.
With the network congested, the attacker initiated some contracts to the gambling dApps. However, with the apps relying on transactions to determine winning conditions, these could then be manipulated.
The congestion meant that only the hacker and the attacked app had enough CPU to operate. This prevented developers from stopping the attack as soon as it was discovered.
Best tweet thread explaining the CPU congestion / EOSPlay exploit. #EOS https://t.co/QU5qp2C4jL
— rektkid (@rektkid_) September 14, 2019
EOS: Platform Of Choice?
EOS overtook Ethereum as the platform of choice for users of dApps, and the vast majority of this traffic is through gambling applications. However some reports suggest that a lot of this is down to bots, and dApps are struggling to attract genuine users.
Critics also attack the network for its level of centralisation, prompting founder, Dan Larimar to get a bit lairy with Bitcoin and Ethereum earlier in the year. Larimar claimed that he could ‘take down’ the two biggest cryptocurrency networks.
More recently, EOS suffered another blow to its credibility, when Wikipedia co-founder, Larry Sanger, said the network was “de facto centralized in the hands of the Chinese.”
Sanger was explaining why he felt unable to continue building his dApps on the platform.
He might have a point, as the Chinese government continues to rank EOS first in its top ten cryptocurrencies list. Bitcoin meanwhile, still fails to make the top 10.
What do you think about this EOS dApp flaw? Add your thoughts below.
Images via Shutterstock, Twitter @rektkid_
