Hackers create 1B fake EOS to rob ‘decentralized’ cryptocurrency exchange

Thanks to a shocking security vulnerability, hackers have flooded a “decentralized” token exchange platform with 1 billion fake EOS EOS. By the end of the heist, the thieves were able to steal almost $58,000 in cryptocurrency directly from users.

The hackers created a new EOS-based token, ironically named “EOS,” and used it to illegitimately purchase BLACK, IQ, and ADD tokens from exchange service Newdex. The company has since confirmed the hack.

“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens,” Newdex wrote in a statement. “After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”

The thieves eventually traded the collection of tokens for real EOS cryptocurrency. Newdex later revealed the attackers managed to siphon 4,028 real EOS (approximately $20,000) to cryptocurrency exchange desk Bitfinex. Ultimately, it’s the Newdex dApp users left to suffer losses, which amount to roughly $58,000.

While the team has apologized for incident, it has not yet made plans to compensate affected users.

The vulnerability appears to stem from two things: first, anyone can create a token using EOS, and they can name it anything they want – apparently, even “EOS.” All you need is an EOS account.

Second, Newdex doesn’t use smart contracts. Yep, that’s right. Because there’s no smart contract, there was nothing to confirm the authenticity of the cryptocurrency being pumped into it.

All this is because its developers appear to be leveraging the hype surrounding decentralized exchanges (DEX), by dressing itself up as one. In reality, it’s just a single user account handling trades under the guise of being an asset exchange – pretty centralized, if you ask me.

The community actually proved this just days before the attack:

[…] They deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it.

This was later corroborated by Hard Fork. As it stands, the “newdexpocket” EOS account – the operational Newdex dApp wallet – has no smart contract code programmed into it. Without a smart contract, users of Newdex are simply sending funds to a personal EOS account with the hope that trades will be conducted properly.

What’s worse, it appears that it is using the exact same key for both its owner and active permissions. This creates a single attack vector that is easily exploitable. For reference, most exchanges at least use multi-sig wallets.

It seems in this instance, the keys weren’t the target – just the gaping security holes left by token exchange developers too negligent to even program a smart contract to protect users.

Welcome to the “decentralized” internet of 2018.

Published September 18, 2018 — 09:53 UTC

Facebook Comments

More Stuff

How to Run or Repeat a Linux Command Every X Seconds Forever A system administrator often needs to run a command repeatedly in a certain periods of time. Often such tasks can be easily completed with simple cron...
Initial Server Setup and Configurations on CentOS 7 This tutorial will explain the first basic steps you need to go through after installing a minimal CentOS 7 system with no graphical environment in or...
How to Find a Process Name Using PID Number in Linux In this article, we will look at how to find a process name by its process identification number (PID). Before we dive into the actual solution, let u...
3 Ways to Change a Users Default Shell in Linux In this article, we will describe how to change a user’s shell in Linux. The shell is a program that accepts and interprets commands; there are severa...
Spread the love

Posted by News Monkey