Guido Vranken, who self-describes as “a dedicated fuzz tester for the Ethereum Foundation” has recently found numerous vulnerabilities in EOS’s code. He found twelve of them, of which 4 are yet to confirm.
Vranken says he discovered 11 confirmed bugs in the EOS software last week. The HackerOne report reveals that the hacker has already received $90,000 in bounty payments from EOS parent company Block.one for nine different bugs he found in the system.
Thank you. A couple more waiting to be rewarded. I think the final tally was $120K but I lost count. Took me about a week.
— Guido Vranken (@GuidoVranken) June 4, 2018
The total amount owed to him comes close to $120,000 and the rewards are still pouring in. He has also previously reported bugs to Ethereum, Ripple, and Stellar.
Qihoo 360 said that Block.One has promised to hold off EOS mainnet launch until the vulnerabilities are eliminated, but the company went ahead with the launch anyway stating that all the bugs will be fixed by the time of the launch. EOS had this to say a week or so ago.
Media has incorrectly reported a potential delay in the release of EOSIO V1 due to software vulnerabilities. Our team has already fixed most and is hard at work with the remaining ones. EOSIO V1 is on schedule; please stay tuned to our EOSIO channels for official information.
— EOS (@EOS_io) May 30, 2018
Reports have since indicated that days after the official launch, the EOS blockchain is still not fully up and running.
EOS has received widespread criticism for the lack of product development and the security glitches in spite of raising $4 billion in a year-long ICO. John Oliver, the host of the popular HBO show Last Week Tonight called EOS “a software startup that doesn’t plan to sell any software.”
It is not yet known whether the bugs pointed out by Vranken have been fixed or not. But if you are a startup with $4 billion in your account, you can probably afford to keep paying developers to find and fix bugs.
When faced with a dilemma when weighing $10,000 in a bug reward or potentially millions of EOS tokens in a bug exploit, many will certainly choose the latter. Which is why open source code where cryptos are concerned is the most secure when tested by time, and the most vulnerable otherwise.
This is why the bug bounty needs to be raised in EOS to a million for any money losing disclosed vulnerability considering they have plenty of money and therefore can easily afford it, and considering the chances there is a money losing bug stand at our out of thin air estimate of around 90%.