As the largest ICO in history, EOS is touted as the most competitive candidate of next-generation blockchain systems and has naturally attracted great attention world-wide.
Among all the buzz about EOS, the security aspect of EOS is one of the most controversial topics.

In this blog, PeckShield researchers take a close look at a key component of EOS, i.e., EOS accounts. Especially, we are interested in understanding the way how the EOS accounts are generated by existing tools [3]. We are surprised to find that certain EOS accounts are readily vulnerable to being compromised and the corresponding digital assets are seriously under the risk of being stolen. For simplicity, we call these affected accounts as high-risk EOS accounts. In order to mitigate the issue and protect high-risk EOS users, PeckShield is now launching a public service dubbed EOSRescuer [2].

In the following, we would like to go through the details of this particular security issue, and make a disclosure of vulnerable accounts list covered by EOSRescuer.

Problem Description

The essence of the risk is caused by an improper use of third-party EOS key-pair generation tools, including but not limited to EOSTEA [3]. With user-provided seeds, these tools greatly facilitate users to generate their EOS key pairs. Unfortunately, if a simple seed is chosen (by the user) and allowed (by the tool), the generated keys might be exposed and exploited by launching the rainbow table attack (or dictionary attack) [4].

Figure 1: The Rainbow Table Attack Against High-Risk EOS Accounts


Our Approach

To rescue these high-risk EOS accounts that are vulnerable to rainbow attacks, we choose to first create a secure EOS account, and then make a makeshift arrangement by choosing to transfer the EOS balances from vulnerable accounts to this secure one. Next, we will return transferred EOS balances back to original users (after verifying their authentic account ownerships) in a transparent and verifiable way. Meanwhile, every EOS holder is encouraged to check her account by querying EOSRescuer (https://peckshield.com/eosrescuer). If the account is labeled in danger, please contact us ASAP. In order to claim back your balances covered by EOSRescuer, please provide enough information to prove your ownership on the accounts, such as necessary official activity record of the account. This entire process is transparent and free, and should be subject to third-party media inquiry or audit.

We have so far finished part of the action of rescuing certain victim EOS holders’ balances. The related information are listed in the following:

Vulnerable Public Key Account Balance
EOS7duB6AzYwhpmwYepy6GRXPN1h6C5e3svZPB4T4P1mdVkwZ5Pf9 zeilaovenus3 1505.3975
EOS8SHA9WBK2rJkuC46BtkAaAdiBLdgph3vAE9SnjrntsHGfEwp7c monkey123123 658.2789
EOS7CPRUDmARmxsx26maZcGUnHfC6TFhQ47BAFhWfHQvyNdd4VAaW liakila12121 293.7492
EOS89DYCAgdqvxvC7JsEQHPa1rZAxtjY2wuiT9vuBo95A4LKZvmg3 fengbo552211 245.7134
EOS5HeMa8kKEzPUTauGaNLVDodnHjanr7i2HnGxCRbSxWGDdHyYGf wuyouwoainia 148.0744
EOS8THRxyz17iR1yu7b6PjzhHZqCc5fGnBVGvVr6gwc1FpirgRm5y reding543234 131.9634
EOS7nDxqnaBdqKXoaxH1f4a5phPwL3px2pxqzjXD7omyaHpapxdmu liyouzhong12 81.7319
EOS55VMQeqfZmfRpXXHavKDtVt1j3vFVYT26H3hLuZbAwq6FZrHbP eosprincess1 50.1000
EOS8MzrYFiH6BTLxeqJvSwvZXsMgrA9qGLL6BwkLtkomqFdgVDWtC lanjunnan323 48.0217
EOS6Tfhjx4UhifvfUnVyoBNo4S83Kk6kpvx7rgVc3hZKfvSMskmCH andy11223344 0.0084
EOS5YRPsAdiyikaxVeusFHhSnc5QbYJQ8BdwXp36HsL8sL2pMPnHU rewineosio11 0.0000
EOS82BwJpXGX3ULuwYbXrjmtohrNRnvMhjvX6rankhMmyUnzmPUvE dadiaoche123 0.0000

We highlight that this effort is still in progress. And EOS holders are always encouraged to re-query EOSRescuer [2] for the latest result. DONT WORRY if your account is labeled, all you need to do is to contact us (by sending email to [email protected]) with a proof indicating that you are indeed the owner of that EOS account. Also, if you have chosen a weak mnemonic, please definitely choose a stronger one to re-generate a new EOS key-pair and then follow the guideline [5] to change your private key for your EOS account.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.

References



Published

10 July 2018

Tags