'false Top-up' EOS Vulnerability Detected by Chinese Cybersecurity Firm, Confirmed by Okex

  • SlowMist, a Chinese cybersecurity firm, claims to have found a security vulnerability that allows users to register EOS deposits without actually transferring the funds.
  • Crypto exchange OKEx has confirmed the vulnerability.

EOS, one of the world’s largest platforms for building and deploying decentralized applications (dApps), might be vulnerable to an attack - according to Chinese cybersecurity firm, SlowMist Technology Co. Ltd.

Referred to as the “false top-up,” SlowMist’s Medium blog post states that the vulnerability can potentially be exploited by an attacker as they “can successfully deposit EOS to these platforms without transferring any EOS.” Platforms which are likely to be affected by this particular EOS-related vulnerability include digital asset exchanges, wallets and other crypto-related services, SlowMist noted.

"False Top-Up" Vulnerability Similar To False Ethereum Top-Up

The online security firm has also claimed in its blog post that a real attack has already taken place. However, SlowMist has not yet revealed any details regarding the attack - except for noting that it is somewhat similar to the USDT and Ethereum false top-up attacks. As described in SlowMist’s blog post: 

The platform should be responsible for this [false top-up vunerability]. Since this is a new type of attack, and the attack is already happening, if other platforms are not fully confident of their own deposit process verification, they should suspend the EOS deposit as soon as possible and double check the process. Specific attack details will be disclosed by SlowMist Security Team.

OKEx Confirms Vulnerability

Responding to the security threat from SlowMist, Hong Kong-headquartered crypto exchange OKEx acknowledged (via Twitter) that it was “aware of the vulnerability with EOS deposits.” But OKEx’s management also confirmed that the company’s trading platform was “not exposed to the vulnerability.” The exchange’s support team assured OKEx customers that their funds were “safe and secure.”

Last month, an EOS community Telegram group had reported that 2.09 million EOS tokens (over $7 million) had been transferred by a blacklisted EOS account holder. Several news media outlets had described this incident as a “hack,” however a detailed investigation by BreakerMag revealed that there had reportedly been a breakdown of an EOS arbitration group’s temporary solution for blocking malicious accounts.

400,000 EOS Tokens Reportedly Stolen From Hacked Accounts

In December 2018, cybersecurity research firm, PeckShield published a report which revealed that only 120,000 out of approximately 500,000 EOS accounts were currently active. PeckShield’s research team also reported that over 200,000 (about 37%) EOS accounts had been inactive since creation.

Commenting on the low account activity, Shi Huaguo, the senior security researcher at PeckShield had said (at that time):

dApps on EOS started to explode since September 2018, and the number grew rapidly in October. But with EOS, [dApps] are getting hotter [or being widely-used], [however] the group-controlled accounts [have also] started to emerge.

Notably, PeckShield’s researchers found that 27 EOS-based dApps had major vulnerabilities, however these security issues were not directly related to issues with the EOS blockchain itself. Because of these security vulnerabilities, more than 400,000 EOS tokens (worth about $700,000 at the time of the security breaches) had reportedly been stolen.