Last Friday a decentralized market Newdex was subjected to a spoofing attack. The attackers “forged” token EOS, and then placed a buy order BLACK, IQ and ADD. The total damage to the stock exchange, is about $58 000.
Hackers used a flaw in security, so they were able to build on the blockchain eosio your token and assign it the same codification as the original native token. In an official statement, Newdex has confirmed the fact of burglary, and shared technical details:
“EOS-account address oo1122334455 generate 1 billion false tokens. Convinced of the feasibility of the attack, account holders began to place large buy orders. Just for purchasing BLACK, IQ [sic] and ADD it was released and spent 11 800 fake token EOS”.
In the future, hackers exchanged fake tokens for real and transferred the stolen assets on Bittrex account. All they managed to bring, in addition to the above units, 4028 EOS in the amount of $21 828 (at the exchange rate at the time of publication). All assets were stolen directly from the wallets of users Newdex. The exchange has not yet announced the compensation, but assured traders that “their funds are safe”, and “hackers have discovered”.
An additional factor contributing to the success of the theft, is the lack of the exchange of verification transactions with smart contracts. In fact, users directly send each other money without any guarantees that the operation will be successfully processed. In addition, due to the configuration of purses eosio (requests per transaction do not require different signatures) the attackers were able to withdraw funds using the same key.
The issue of network vulnerability EOS has been raised repeatedly by users. Previously technical Director Dan Larimer (Dan Larimer) intended to correct the organizational and technical roots of the problem by introducing a new “Constitution” — the body of internal rules EOS.
