Hackers have used the EOS cryptocurrency platform’s own token-generating service to create a knock-off “EOS” token then steal about $58 000 of real crypto from users of the “decentralized” crypto exchange Newdex, The Next Web reports.
Newdex reportedly issued a statement confirming the hack:
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens…After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ and ADD.”
The BLACK, IQ and ADD tokens were then used to purchase real EOS at Newdex. $20 000 USD worth of authentic EOS were then transferred to the Bitfinex exchange.
The hackers exploited two critical vulnerabilities in crypto systems generally hyped as empowering for users.
The first problem involves the EOS system itself, a “powerful infrastructure for decentralized applications” launched this year.
At least up until the hack, the EOS system apparently did not have a way to prevent creation of duplicate tokens on its platform.
As all tokens created there are compatible with the EOS chain, hackers were evidently able to trade the token without issue as if they were genuine EOS.
The implications are huge.
The second problem relates to the Newdex “decentralized” exchange.
To make matters worse, Newdex allegedly:
“…has no smart contract code programmed into it. Without a smart contract, users of Newdex are simply sending funds to a personal EOS account with the hope that trades will be conducted properly.”
Newdex has allegedly further squandered its fiduciary duty by, “using the exact same key for both its owner and active permissions. This creates a single attack vector that is easily exploitable. For reference, most exchanges at least use multi-sig wallets.”