QI Quadriga Initiative

May 2023 - EOS EVM Contract Drain Vulnerability - $0k (Global)

"EOS is a platform that uses the blockchain technology for the development of decentralized applications (dapps), very similar to Ethereum in function. As a matter of fact, supporters have dubbed it as the “Ethereum killer”. By providing an operating-system-like set of services and features that dapps can make use of, it makes dapp development very easy."

"EOSIO is a highly performant open-source blockchain platform, built to support and operate safe, compliant, and predictable digital infrastructures." "EOSIO is a leading open-source software for blockchain innovation and performance. As one of the most performant, customizable, and secure blockchains available, it offers industry-leading speed, scalability, configurability, and the latest security standards." "Block.one is also the originator of EOSIO, the leading open-source blockchain software that provides developers and businesses with the tools to build the infrastructure of tomorrow."

"The security vulnerability is related to the state objects tracking the reserved addresses of the trustless bridge and how they were not properly being undone in the case of an EVM execution context being reverted. If exploited, it could potentially allow an attacker to illegitimately drain all of the EOS stored by the EOS EVM Contract across the trustless bridge."

"The EOS Network Foundation tweeted that the EOS EVM has released version v0.4.2, which fixes a serious security vulnerability found in the EOS EVM. The EOS EVM contracts, EOS EVM nodes, and EOS EVM RPC components implemented by the EOS mainnet all need to be upgraded."

"The EOS EVM Contract, EOS EVM Node, and EOS EVM RPC for the EOS mainnet implementation have already been patched prior to this public release."

"The fix to the security vulnerability is technically a breaking change to EOS EVM. However, the vulnerability does not appear to have been exploited on either the EOS EVM testnet or mainnet. Therefore, it becomes possible to treat the fix as simpler retroactive change of the EVM."

"Upgrading EOS EVM Contract from v0.4.1 simply requires a setcode of the v0.4.2 contract. There are no changes to the ABI."

Further Analysis

A critical vulnerability was uncovered and resolved in the EOS EVM before it could be exploited. The vulnerability, if exploited, would have allowed draining all contracts storing EOS across the trustless bridge.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

SwapRum Rug Pull > > < < Land of Genesis Mint Permission Hack

Sources/Further Reading

SlowMist Hacked - SlowMist Zone (Dec 31)
@EOSnFoundation Twitter (Dec 31)
Release EOS EVM v0.4.2 Release Notes · eosnetworkfoundation/eos-evm · GitHub (Dec 31)
Comparing v0.4.1...v0.4.2 · eosnetworkfoundation/eos-evm · GitHub (Dec 31)
https://eos.io/ (Dec 31)
https://medium.datadriveninvestor.com/eos-oversimplified-a-beginners-guide-to-eos-io-cryptocurrency-4b1ee4465736?gi=f62babde20e3 (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.