The discovery broke on Chinese microblogging platform, Weibo, which is often likened to Chinese Twitter. The report highlights a series of bugs that were found on the EOS blockchain that allows arbitrary code to be executed remotely on EOS nodes which can even allow a malicious actor to take full control of the node.
The news rapidly reached the western media through cnLedger’s widely followed Twitter account:
1/ Chinese Internet security giant 360 has found "a series of epic vulnerabilities" in the #EOS platform. Some of the bugs allow arbitrary code to be executed remotely on EOS nodes and even taking full control of the nodes.
Source (in Chinese): https://t.co/pt6nj6EodP
— cnLedger [Not giving away ETH] (@cnLedger) May 29, 2018
Qihoo 360 went on to claim that the breach would have allowed attackers to deploy smart contracts with malicious code to EOS supernodes. Once the contract is included in a block, the potential for misuse is amplified as it can affect backup nodes, exchanges, wallet nodes, and more.
However, according to an update posted on Chinese blockchain news site, Jinse, the EOS team has reportedly worked through the issues with the Qihoo 360 team.
“On the early morning of the 29th, this type of loophole was reported to EOS official and assisted in repairing security risks. According to 360, the person in charge of the EOS network stated that the EOS network will not be officially launched until these issues are fixed.”
The Qihoo 360 employee involved with the fix told Golden Finance, “This is a serious problem in itself, but it is not difficult to fix it. It should not have a major impact on the main line, because EOS has been continuously [working to] fix the bug.”
Qihoo 360 has urged the blockchain industry and other security firms to pay closer attention to such issues, as any small vulnerability in a decentralized blockchain system can trigger attacks across the entire network.
The price of EOS fell after news of the security issue broke, but it has since recovered after investors received the ‘all-clear’ from the EOS team. The project is still planning to switch from the Ethereum blockchain to its own mainnet on June 2nd.
Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.
— Daniel Larimer (@bytemaster7) May 28, 2018