EOS EVM Contract Drain Vulnerability: Difference between revisions
(Starting initial edit.) |
(Complete the full 30 minutes.) |
||
| Line 35: | Line 35: | ||
* Details of what audits reported and how vulnerabilities were missed during auditing. | * Details of what audits reported and how vulnerabilities were missed during auditing. | ||
TBD - Need to fill in more details on the exact exploit and how it happened. | |||
== What Happened == | == What Happened == | ||
The vulnerability was kept confidential and patched behind the scenes by the EOS team. They released an update to the EOS EVM on May 15th. | The vulnerability was kept confidential and patched behind the scenes by the EOS team. They released an update to the EOS EVM on May 15th. | ||
| Line 55: | Line 55: | ||
== Technical Details == | == Technical Details == | ||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | ||
Need more details on the exploit itself. | |||
Release Notes:<ref name="eosnetworkfoundationgithub-11035" /> | Release Notes:<ref name="eosnetworkfoundationgithub-11035" /> | ||
| Line 65: | Line 67: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
There were no funds lost since the EOS EVM Contract, EOS EVM Node, and EOS EVM RPC for the EOS mainnet implementation were patched prior to a public release of any information. The fix to the security vulnerability is technically a breaking change to EOS EVM. However, the vulnerability does not appear to have been exploited on either the EOS EVM testnet or mainnet. Therefore, it was possible to treat the fix as simpler retroactive change of the EVM. It does not appear that any bounty was paid out for discovering the vulnerability either. | |||
== Immediate Reactions == | == Immediate Reactions == | ||
| Line 92: | Line 88: | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
The EOS Foundation announced the resolution on Twitter with a new version of the EVM being released for people to download. | |||
=== EOS Foundation Announcement on Twitter === | === EOS Foundation Announcement on Twitter === | ||
| Line 105: | Line 101: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
No funds were lost in this case, and therefore no recovery was needed. | |||
== Ongoing Developments == | == Ongoing Developments == | ||
Revision as of 12:08, 19 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
A critical vulnerability was uncovered and resolved in the EOS EVM before it could be exploited. The vulnerability, if exploited, would have allowed draining all contracts storing EOS across the trustless bridge. According to the report, the vulnerability was never exploited.
About EOS Blockchain
"EOS is a platform that uses the blockchain technology for the development of decentralized applications (dapps), very similar to Ethereum in function. As a matter of fact, supporters have dubbed it as the “Ethereum killer”. By providing an operating-system-like set of services and features that dapps can make use of, it makes dapp development very easy."
"EOSIO is a highly performant open-source blockchain platform, built to support and operate safe, compliant, and predictable digital infrastructures." "EOSIO is a leading open-source software for blockchain innovation and performance. As one of the most performant, customizable, and secure blockchains available, it offers industry-leading speed, scalability, configurability, and the latest security standards." "Block.one is also the originator of EOSIO, the leading open-source blockchain software that provides developers and businesses with the tools to build the infrastructure of tomorrow."
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
"The security vulnerability is related to the state objects tracking the reserved addresses of the trustless bridge and how they were not properly being undone in the case of an EVM execution context being reverted. If exploited, it could potentially allow an attacker to illegitimately drain all of the EOS stored by the EOS EVM Contract across the trustless bridge."[3]
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
TBD - Need to fill in more details on the exact exploit and how it happened.
What Happened
The vulnerability was kept confidential and patched behind the scenes by the EOS team. They released an update to the EOS EVM on May 15th.
| Date | Event | Description |
|---|---|---|
| May 15th, 2023 7:07:00 PM MDT | Upgrade Available | The upgrage to the EVM is made available on Twitter[4][5]. |
| May 16th, 2023 | Included In SlowMist | The vulnerability is included as an exploit on the SlowMist website[6]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Need more details on the exploit itself.
Release Notes:[7]
About The Upgrade:[3]
"The security vulnerability is related to the state objects tracking the reserved addresses of the trustless bridge and how they were not properly being undone in the case of an EVM execution context being reverted. If exploited, it could potentially allow an attacker to illegitimately drain all of the EOS stored by the EOS EVM Contract across the trustless bridge."
"The EOS Network Foundation tweeted that the EOS EVM has released version v0.4.2, which fixes a serious security vulnerability found in the EOS EVM. The EOS EVM contracts, EOS EVM nodes, and EOS EVM RPC components implemented by the EOS mainnet all need to be upgraded."
Total Amount Lost
There were no funds lost since the EOS EVM Contract, EOS EVM Node, and EOS EVM RPC for the EOS mainnet implementation were patched prior to a public release of any information. The fix to the security vulnerability is technically a breaking change to EOS EVM. However, the vulnerability does not appear to have been exploited on either the EOS EVM testnet or mainnet. Therefore, it was possible to treat the fix as simpler retroactive change of the EVM. It does not appear that any bounty was paid out for discovering the vulnerability either.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
"The EOS Network Foundation tweeted that the EOS EVM has released version v0.4.2, which fixes a serious security vulnerability found in the EOS EVM. The EOS EVM contracts, EOS EVM nodes, and EOS EVM RPC components implemented by the EOS mainnet all need to be upgraded."
"The EOS EVM Contract, EOS EVM Node, and EOS EVM RPC for the EOS mainnet implementation have already been patched prior to this public release."
"The fix to the security vulnerability is technically a breaking change to EOS EVM. However, the vulnerability does not appear to have been exploited on either the EOS EVM testnet or mainnet. Therefore, it becomes possible to treat the fix as simpler retroactive change of the EVM."
According to the release notes, the following developers were responsible for assisting with the investigation and resolution:
- @yarkinwho
- @spoonincode
- @taokayan
Ultimate Outcome
The EOS Foundation announced the resolution on Twitter with a new version of the EVM being released for people to download.
EOS Foundation Announcement on Twitter
The EOS Foundation posted on Twitter to announce the resolution of the vulnerability[4][5].
EOS EVM v0.4.2 Released!
This release fixes a critical security vulnerability discovered in the EOS EVM.
The EOS EVM Contract, EOS EVM Node, and EOS EVM RPC for the EOS mainnet implementation have already been patched prior to this public release.
"Upgrading EOS EVM Contract from v0.4.1 simply requires a setcode of the v0.4.2 contract. There are no changes to the ABI."
Total Amount Recovered
No funds were lost in this case, and therefore no recovery was needed.
Ongoing Developments
There don't appear to be any remaining developments in this case. The original vulnerability has already been patched by the EOS team.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://eos.io/ (May 29, 2022)
- ↑ https://medium.datadriveninvestor.com/eos-oversimplified-a-beginners-guide-to-eos-io-cryptocurrency-4b1ee4465736?gi=f62babde20e3 (May 29, 2022)
- ↑ 3.0 3.1 Comparing v0.4.1...v0.4.2 · eosnetworkfoundation/eos-evm · GitHub (May 19, 2023)
- ↑ 4.0 4.1 EOSnFoundation - "EOS EVM v0.4.2 Released! This release fixes a critical security vulnerability discovered in the EOS EVM." - Twitter Archive May 19th, 2023 11:23:47 AM MDT (May 19, 2023)
- ↑ 5.0 5.1 EOSnFoundation - "EOS EVM v0.4.2 Released! This release fixes a critical security vulnerability discovered in the EOS EVM." - Twitter (May 19, 2023)
- ↑ SlowMist Hacked - SlowMist Zone Archive May 19th, 2023 10:13:38 AM MDT (May 19, 2023)
- ↑ 7.0 7.1 Release EOS EVM v0.4.2 Release Notes · eosnetworkfoundation/eos-evm · GitHub (May 19, 2023)