Critical EOS Smart Contract Vulnerability Discovered By Auditing Firm
LianAn Tech, with the help of its research platform VaaS (Verification as a Service), has identified a critical vulnerability in the EOS smart contract architecture. The defect is visibly similar to the batchOverflow bug that had incapacitated a long list of ERC20 tokens including BeautyChain (BEC). The event had lead to the suspension of trading and withdrawals of all ERC20 tokens across most major exchanges.
LianAn Tech took a close look at the batchOverflow exploit and investigated the EOS blockchain smart contract architecture using integer overflow vulnerability detection and security verification and found that the smart contracts on the EOS blockchain are subject to almost exactly the same vulnerability.
EOSIO had been designed to give developers the most robust toolset for writing high-performance, high-quality, low-bug-count contracts and to allow the platform and the contracts to recover gracefully when all else fails. However, it has become under various scrutiny the last few weeks with many more flaws to be pointed out soon.
“The problem is not a security vulnerability, as they represent, but the result of poor coding practices. There is nothing a smart contract platform can do to prevent developers from making mistakes. Such mistakes are not security vulnerabilities in the underlying platform.”
“The team at LianAn Tech and other bloggers which report on this issue have constructed a strawman argument against EOSIO. The result of their irresponsible reporting is to mislead those who don’t understand the technology. As an industry, we need people who can accurately understand the difference between a security vulnerability (platform not behaving as designed), a user error (developers not using the platform properly), and a fundamental platform design flaw (a platform not giving developers tools to protect themselves).”
Whether this development is a legit criticism of EOD or it is an attempt to propagate FUD(Fear Uncertainty and Doubt) is yet to be seen.