Lately, EOS platforms have been struggling to resist security threats and maintain their integrity. Recently it was learned that the content creation platform based on EOS Trybe was able to gain unauthorized access to user accounts.
An exploit in EOS is allowing an attacker to win each roll in the dApp EOSPlay game, paying to fill blocks with their own transactions, earning an estimated profit so far of 30,000 EOS for a value of more than $ 110,000 while leaving the network technically unusable.
Logistics of the attacks
The failure in EOSPlay was caused by the use of REX, an important decentralized financial service (DeFi) to exchange EOS resources for RAM and CPU that allows EOS loans in exchange for additional CPUs in the EOS blockchain, to ensure that the blocks they will be filled with their transactions to continuously win in the dApp EOSPlay game. This resulted in the EOS network freezing as thousands of tokens were transferred to the attacker’s wallet.
The incident did not affect the EOS network, but caused an overload that resulted in a lack of additional bandwidth, however, EOS is working properly. The one in charge of this attack as in previous occasions in the network of Ethereum or Bitcoin floods the network with high-rate spam transactions. The network was not frozen for token holders, but there was no additional bandwidth available for free use.
With the turnover rate of CPU resources dynamically increasing in REX, basically, everyone gets blocked unless they have more EOS at play than the attacker.
In this case, the attacker had approximately 900,000 EOS posted and assigned to a CPU, preventing others from accessing the resource. When congesting the network, the attacker did not allow anyone to send transactions because the cost was too high for most users.
EOSBet pays the user 126,000 EOS in dozens of transactions in just 36 hours. Suspicious activity occurs only 24 hours after the smart contract hack in EOSGames led to 24 jackpot payments in just one hour.
After a similar incident just 4 days ago, an EOSBet user was paid more than $ 600,000 in profits over a period of 36 hours in what is at first sight an excellent run but could be hiding a breach of smart contracts in the decentralized betting platform based on EOS.
The person who participated in an EOSBet dice game somehow managed to constantly double their money in a series of consecutive bets, which generated total winnings of 126,000 EOS in less than two days. In addition to this, the attacker also managed to be the sole winner of the dozens of transactions executed at that time.
The probability of a security breach of this magnitude is low, EOSBet denied that this was the case, stating that the platform did not suffer a hack and that all payments to the user were legitimate and simply good luck.
Impact on the EOS community
Currency users would have reported that the attack managed to completely freeze the EOS Blockchain, preventing its use both for the operation of decentralized applications, and for normal transactions between cryptocurrency wallets.
This inconvenience translates into serious news for the cryptocurrency that tries to become a viable alternative to Ethereum in the field of smart contracts, and the creation of Dapps. Users lose confidence in their platform after being affected by this attack.
The attack may have impacted more than just EOSPlay. The attacker seems to be taking advantage of several accounts to exploit several different smart contracts.
Smart contract owners would have difficulty disabling their contracts due to congestion and lack of network resources. Until there is a fork or patch, the vulnerability can continue to be abused each time an EOS user spends $ 1,000 or more on REX.
It is estimated that most likely, the RNG of attacked game DApps could use some transactions or data from previous blocks, it being particularly easier for attackers to manipulate the previous blocks when the network is congested and being the only ones with resources to send transactions
EOSPlay should be avoided until the exploit is fixed. For the rest of the network, people’s funds should not be at risk from exploitation.