Dan Larimer On 30k EOS Hack, “No Different Than High Fee Transaction Spam On BTC Or ETH”
An exploitation of EOSIO allowed an attacker to gain 30,000 EOS worth over $110k by winning every roll on the gambling decentralized app (DApp) EOSPlay.
The attacker used REX, the Resource Exchange is a bucket that collects all the EOSIO resource fees including RAM sales and name auctions, to have the blocks filled with transactions to win in EOSPlay.
As thousands of EOS were gained by the attacker, the network ended up freezing.
However, Daniel Larimer, the founder of EOS argues the network is “operating correctly.”
#EOS is operating correctly. This is no different than when attackers flood eth or bitcoin with high fee transaction spam. The network didn’t freeze for token holders, there was just no extra bandwidth available for free usehttps://t.co/nZQmCTlXFa
— Daniel Larimer (@bytemaster7) September 14, 2019
EOSIOAlabama explained how “everyone basically gets locked out unless they have more eos staked than the attacker.”
In this case, the attacker had about 1 million EOS stakes to cpu from REX.
“REX is causing an issue,” said one user while others voice out the same, but Larimer says, “the issue is not with Rex as it just allows some owners to lease their bandwidth to others and “No platform can prevent poorly designed apps.”
Moreover, “This will drive Rex rates higher. Market will correct. Owners could also not lend to Rex,” he said.
One anonymous developer said the attack may have been larger than originally expected.
It seems that the scale of the attack is much larger than we originally expected.
These are attacker's accounts:https://t.co/wdeRVVHT4Vhttps://t.co/euC2gEncj7https://t.co/7mrpdRfGLihttps://t.co/Wsl578HVPahttps://t.co/I0aTR8OvbQhttps://t.co/7ixE6VCoLfhttps://t.co/1QIOQDfDlw
— Dexaran (@Dexaran) September 13, 2019
“Lesson learned here is don’t design contracts that depend upon extra bandwidth available during uncontested mode. The eosplay contract should have a low cpu action to pause execution available to contract maintainers.”
“Or eosplay should lease enough bandwidth to ensure that they can upgrade everything even during congestion.”
EOSPlay meanwhile needs to be avoided until the issue is fixed. The rest of the network, including Voice users (for which B1 is providing all bandwidth) however, should not be at risk.