For the second time in a week the EOS platform has been in the spotlight for the wrong reasons. Hackers have managed to flood a decentralized exchange with fake EOS tokens to steal thousands in cryptocurrency.
Around $58,000 was stolen from the Newdex exchange when a security flaw was exploited by hackers. According to Hard Fork the cunning cyber criminals spoofed the exchange into thinking a fake token was actually the real thing. The hackers created a new EOS based token that they named ‘EOS’ in order to steal BLACK, IQ, and ADD tokens from the exchange.
Newdex has confirmed the hack and issued a statement;
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large buy orders. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”
The fake EOS tokens were then traded for real ones which were then transferred to Bittrex according to the statement. The hackers got away with 4,028 EOS tokens worth around $19,450 at current trading prices. The total loss amounted to nearly $58,000 which has been suffered by Newdex users. The exchange has yet to state whether there will be any reimbursement.
The vulnerability stems from the EOS platform enabling anyone to make a token calling it whatever they want, including ‘EOS’ apparently. Secondly Newdex does not use smart contracts so there was no way of verifying the authenticity of the tokens.
The EOS community commented on the way single user accounts can act as an exchange on the DEX;
“They deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it.”
Without a smart contract, as in the case with the newdexpocket account, users are simply sending tokens to an EOS wallet without any authentication process, and hoping they will execute. Hard Fork also reported that it used the exact same key for both its owner and active permissions. This resulted in an attack that may have been mitigated if the exchange used mulit-sig wallets as most do.
Last week EOS suffered another smart contract breech when the EOSBet dApp was hacked resulting in the loss of over $220,000 in cryptocurrency. Until this technology develops and secure standards and practices are in place hackers are going to find ways to exploit the vulnerabilities in platforms and exchanges.