Profile picture
Dexaran
@Dexaran
, 16 tweets, 32 min read Read on Twitter
$EOS #EOSPlay is being hacked

Investigating the issue. All my contracts on EOS mainnet has stopped because of network congestion.

bloks.io/account/mumach…
So, $EOS is still in congestion mode. My 20 staked EOS CPU gave me 6 ms instead of 2800ms as it should be in a normal stage.
It seems that the scale of the attack is much larger than we originally expected.
These are attacker's accounts:
eosflare.io/account/mumach…
eosflare.io/account/gotowo…
eosflare.io/account/mumach…
eosflare.io/account/mumach…
eosflare.io/account/mumach…
eosflare.io/account/mumach…
eosflare.io/account/mumach…
Contracts being attacked:

eosflare.io/account/dswinn…
eosflare.io/account/eospla…

probably even more...
What attacker did:

1. Rented a huge amount of CPU and NET at #EOSREX resource exchange.

2. Staked CPU&NET for (1) himself and (2) attacked contract.

3. Congested the network.

4. Initiated some transactions to the attacked contract. Won a lot of $EOS in gambling DApps.
1/ Explanation (possible scenario): RNG hack

1. By congesting the network the attacker disallowed anyone to send transactions because transaction cost is too high for most of the users.
2/ Explanation:

Probably the RNG of attacked gambling DApps could use some transactions or data from earlier blocks as a source of entropy.
It's easier to manipulate "previous blocks" when the network is congested and you are the only one having resources to send transactions.
3 / Explanation:

I.e. if you are the only one who sends transactions and RNG relies on transactions(or blocks) as a source of entropy, you can manipulate RNG and set winning conditions, and then receive all winnings. Devs could not redeploy the contract due to lack of resources.
$EOS #hack

@BigONEexchange
@eoslaomao
@EOS_huobipool
@eoseoul_kor
@infstones
@EOS_Nation
@NewdexOfficial
@WhaleExchange
@eosasia_one
@ZB__EOS
@eoscochain
@StarteosIO
@Lambdaim
@atticlab_it
@eosbeijing
@SlowMist_Team
@eosnewyork
@cannon_eos
@eoscafeblock

dappradar.com/eos/1124/spina…
$EOS #EOSPlay and #Spinach DApps are hacked. At least 35K EOS were stolen right now. This addresses are probably worth tracking and blacklisting until BPs will make a decision.

@binance @bitfinex @Poloniex @HuobiGlobal @OKEx @OKCoin @kucoincom @C2CXExchange @BittrexExchange
@BigONEexchange @EOSLaoMao @EOS_huobipool @eoseoul_kor @infstones @EOS_Nation @NewdexOfficial @WhaleExchange @EOSAsia_one @ZB__EOS @eoscochain @StarteosIO @Lambdaim @atticlab_it @eosbeijing @SlowMist_Team @eosnewyork @cannon_eos @eoscafeblock 4/ Explanation:

Network congestion makes (1) hacker and (2) attacked DApp the only users of the network who had enough CPU to operate. This prevents contract developers from redeploying the contract and stopping the attack when they recognized the issue.
@BigONEexchange @EOSLaoMao @EOS_huobipool @eoseoul_kor @infstones @EOS_Nation @NewdexOfficial @WhaleExchange @EOSAsia_one @ZB__EOS @eoscochain @StarteosIO @Lambdaim @atticlab_it @eosbeijing @SlowMist_Team @eosnewyork @cannon_eos @eoscafeblock 5/ Update:

The attacker did not use the previous blocks as I thought initially. He fills future blocks with the transaction he needs instead.
@BigONEexchange @EOSLaoMao @EOS_huobipool @eoseoul_kor @infstones @EOS_Nation @NewdexOfficial @WhaleExchange @EOSAsia_one @ZB__EOS @eoscochain @StarteosIO @Lambdaim @atticlab_it @eosbeijing @SlowMist_Team @eosnewyork @cannon_eos @eoscafeblock Source: @Mikefletcher42

@BigONEexchange @EOSLaoMao @EOS_huobipool @eoseoul_kor @infstones @EOS_Nation @NewdexOfficial @WhaleExchange @EOSAsia_one @ZB__EOS @eoscochain @StarteosIO @Lambdaim @atticlab_it @eosbeijing @SlowMist_Team @eosnewyork @cannon_eos @eoscafeblock @Mikefletcher42 Attack stopped, network is back in a normal mode. >30K EOS stolen because of the vulnerability of DApp design. Not $EOS flaw. Just a smart-contract that was hacked.

To smart-contract devs:
1. Follow best security practices.
2. Do not rely on on-chain source of entropy in EOS.
@BigONEexchange @EOSLaoMao @EOS_huobipool @eoseoul_kor @infstones @EOS_Nation @NewdexOfficial @WhaleExchange @EOSAsia_one @ZB__EOS @eoscochain @StarteosIO @Lambdaim @atticlab_it @eosbeijing @SlowMist_Team @eosnewyork @cannon_eos @eoscafeblock @Mikefletcher42 This is also worth watching
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Dexaran
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#EOSPlay #EOSREX #hack #Spinach

Related threads

Profile picture
Tracybeanz
@tracybeanz
There is an ongoing car chase in a domestic violence incident in LA. The woman is in the passenger seat. Every time she tries to escape the car he it’s her. 🙏🙏Pray.
He HITS her. Not it’s.
The person in the passenger seat doesn’t look like she is under stress since I’ve been watching and they have been walking back the story that she was being hit.
Read 5 tweets
Profile picture
ChingasX
@ChingasX
#EOS
$EOS / $BTC - BINANCE

Let's talk about it...
Looking at the #PAS we see a 30% Peak gain on the 30 Day with a 25% pullback - Chart Time
Big drop Nov 27th - Created a fantastic V bottom reversal
Solid retrace from the drop to the 709 zone - settling Daily bodies on the 618
After retrace we went sideways in a relatively unproductive manner
BUT... All that sideways action over the last 51 days did leave behind one little nugget of hope...
We'll call it a cross between an ascending and Sym tril - either way, I Like the breakout play on the 8th.
First Big impulse move got us a quick little 382 pullback before continuing on to the move that broke us free.
The Breakout was as beautiful as it could be.
Flipped Horizontal R to S and a retest at the 5
The third big move has found support at the 618
Read 7 tweets
Profile picture
TKN-NOLA
@truthseekingiam
At 5:34pm election night Vlasto emailed Bossie the polling data he requested. Trump was down 5-8pts in 8 key states. The polls at this point had never been wrong.

Bossie shared the data w Bannon, Preibus & Kushner 1/
Frank Luntz over at Fox was given Fox exit polls at 5:03pm election night. It wasn’t even close. Hillary would be President.

Luntz says Trump had the (illegally obtained) polls & knew what he knew. 2/
August 2016 Roger Stone writes a column for the Hill accusing Priebus of rigging Wisconsin elections.

Step 1 publish a rigged poll
Step 2 rig the voting

3/
Read 33 tweets
Profile picture
Matt Beckman ☕️
@mattbeckman
EOSGov: An #EOS network run by the U.S. Government.

Tell me why this wouldn't work.

@BrendanBlumer @bytemaster7 @VitalikButerin @APompliano @lopp
States would compete as Block Producers to earn block rewards.

Dept's will be created in every state from California to New York to build, upgrade, and maintain infrastructure for an EOS.IO fork.

If a state fails to produce blocks, they don't get inflation $
IRS or DMV (or a new dept) would be responsible for on-boarding new users after verifying their identity in person.

Your birth certificate, fingerprints, photo, etc. will all be on-chain.

Some of it public, but most of it private and verifiable.
Read 7 tweets
Profile picture
cnLedger [Not giving away ETH]
@cnLedger
1/ Chinese Internet security giant 360 has found "a series of epic vulnerabilities" in the #EOS platform. Some of the bugs allow arbitrary code to be executed remotely on EOS nodes and even taking full control of the nodes.

Source (in Chinese): weibo.com/ttarticle/p/sh…
2/ According to their Weibo (Chinese Twitter), 360 reported the bugs to the EOS team. "The person in charge of the EOS network said that the EOS network will not be officially launched until these issues are fixed."
3/ 360: attacker can deploy smart contracts w/ malicious code to EOS super node, which will execute the contract and trigger a security bug. Once the contract is included in a new block, all full nodes including backup nodes, exchges, wallet nodes, are all susceptible to attack.
Read 5 tweets

Trending hashtags

#flagthread #PressFreedom #Bitches #Opioids #VoterFraud #GlobalHawk #backdoor #YouTube #JUDGE #alone #blessyourhearts #project #PascoProud #dunnit #OpUS #CryMoar #oof #hack #Coinbase #Swift #Protest #Trump #DNC #ALF #FRAUD
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!