Following on from yesterday’s revelations concerning serious vulnerabilities with the EOS platform, today it has come to light that a number of attacks have been attempted on EOS nodes that are accidentally exposing their private keys due to a configuration error in their API.
Single Attacker Targets Known Vulnerabilities
The attacks seem to be coming from a single malicious IP address that is scanning the internet for EOS nodes. It appears to relate to a bug reported last week – not to the flaws reported by Chinese security firm 360 yesterday.
According to GitHub user and EOSIO contributor ‘noprom’, part of the EOS RPC API can expose a user’s private key:
“I am using the EOS RPC API to develop some dapps, when I unlock my wallet using /v1/wallet/unlock, I can use /v1/wallet/list_keys to get all my keys, and these keys are exposed to the internet. There may be some security problems.”
The wallet_plugin is largely used for testing and is “not intended for a live environment”. However, any EOS wallet developer who has not browsed through the relevant documentation needs to be “very aware of the fact that the keys to people’s fortunes (in EOS) and reputations (in signing smart contracts) are in [their] hands”.
Currently, EOS does not appear to have an “authentication system to protect access to this API endpoint”, and as the attacker scouring the internet is aware of the bug, he/she is able to scan for EOS nodes to see if the endpoint is still allowing access.
As Mainnet Launch Approaches, Founder Rebuts 360 Report
The drama surrounding the fifth largest cryptocurrency and its upcoming mainnet launch continued unabated today, as a screenshot of founder Daniel Larimer’s rebuttal to the claims of 360 reached reddit. The GitHub link to the fix can be found here.
Larimer’s post morphed into a discussion surrounding decentralization and arbitration, a topic that has been at the forefront of EOS discussions since its inception.
One of the godfathers of cryptography, @NickSzabo, waded into the argument after Twitter user @panekkkk tweeted about the rules governing the currency and how all transactions must include a hash of the EOS constitution:
Great thread about how much EOS depends on a naively drafted “constitution”, human-interpreted wet code. As a result EOS will be labor-intensive, permissioned, jurisdictionally biased, and will have poor social scalability. https://t.co/64XzgplMsb
— Nick Szabo (@NickSzabo4) May 30, 2018
The discussion continued on the EOS subreddit, with users debating the merits and credibility of operating on a system that relies too heavily on Larimer. If the constitution rules are broken, who decides what action should be taken? In the case of a hack, such as what happened with Ethereum and The DAO, will Larimer preside over a rollback?
Decentralization Takes Center Stage
The more philosophical questions to arise are whether or not decentralization is more important than profit and whether or not users value the founding principle of bitcoin over becoming wealthy.
Traditionally, markets have centralized to become dominated by a small number of large players. Is the same thing happening in crypto, and do the participants care about being beholden to a benevolent dictator, as opposed to rule-by-code and Nakamoto consensus?
Despite the melodrama, the coin is on course to raise $4 billion USD from its year-long ICO, making it the most successful initial coin offering to date, as well as placing it behind only BTC, ETH, XRP, and BCH in terms