EOS Dapp Fishing Joy Hacked By Transaction Blocking Technique: Peckshield

While hackers have taken advantage of vulnerabilities in exchanges and certain projects to steal cryptos in the past, their new targets now seem to Internet 3.0, the Dapps. While a lot of Dapps have fallen victims to hackers recently, the new addition to this list is EOS Dapp, Fishing Joy

Continuous Attack on EOS Dapp resulted in 100% profit    

According to a recent update released by Peckshield security, the PeckShield Security Shield Wind Control Platform, DAppShield which monitors the Dapp ecosystems, reported the EOS Dapp game Fishing Joy was attacked by hackers. According to what was reported hackers launched a continuous attack on the EOS quiz game Fishing Joy, profiting hundred percent from them. According to the analysis carried out, Peckshield believes that the hackers used transaction blocking (CVE-2019-6199) method to trigger the game’s currency withdrawal mechanism, resulting in 100% profit.

This attack was an alarm call for Dapp developers as Dapp ecosystems that developers should conduct security tests before the contract goes online, especially to eliminate the threat of known attacks. If required these Dapps may seek the assistance of a third-party security company to help them complete the black box test and basic security defense before the contract is launched and deployed.

Transaction Blocking: Exposing one of the biggest EOS vulnerabilities

This is not the first time EOS Dapps have been exposed to such vulnerabilities.  In January Peckshield itself had detected a similar attack

Again in January 2019, EOS gambling game dubbed “IDice“, was hacked using “Transaction Congestion Attack” technique.

Transaction blocking (CVE-2019-6199) method of attack which is also known as “Transaction Congestion Attack” is peculiar with EOS as EOS allows an user-signed transaction scheduling another deferred transaction (i.e., a transaction to be executed in the future). This is where the problem lies as deferred transactions (including trash transactions) are given priority over user-signed transactions allowing them to deny access to user-signed transactions. Specifically, when deferred transactions are scheduled, the usually circumvent the API node and reach BP execution queue directly.

Also Read: Tron Dapp Spends On Rise, Reaches $102.4 a Day Surpassing Traditional Non-Dapp Games Spends

Since they have higher priority than user-signed transactions, they would be processed before any user-signed transaction. Furthermore, if a deferred transactions schedule another deferred transaction, other BPs would likely pick up the deferred transaction again.

Therefore, an attacker could, in a transaction, start a large number of deferred trash transactions, include dead loops in these deferred transactions to cause a timeout, use up all the CPU time, and finally paralyze the EOS network.

This frequent attacks on EOS are exposing its vulnerability and are a reminder for the development team to patch this soon. Otherwise, EOS would face the same fate what Ethereum was facing due to congestion with respect to Dapp Ecosystem.

Will EOS be able to fix this Transaction Congestion Attack? Do let us know your views on the same.

The post EOS Dapp Fishing Joy Hacked By Transaction Blocking Technique: Peckshield appeared first on Coingape.

Share