Who Spent My EOS? On the (In)Security of Resource Management of EOS.IO

Abstract

EOS is a popular cryptocurrency, whose market cap is over seven billion USD. Its ecosystem operates in the EOS.IO system, which is devised to speed up the slow transaction rate of previous blockchain technologies. Whereas many previous studies have investigated the security issues of Bitcoin and Ethereum, the security of EOS.IO has thus far drawn little attention despite its popularity. Even the studies that have addressed the security of EOS and its underlying blockchain system mostly focused on implementational bugs in the core of the EOS.IO system or in smart contracts, rather than addressing the fundamental problems stemming from the EOS.IO design. To address this void in the previous literature, we investigate the design architecture of EOS.IO. Based on this investigation, we introduce four attacks whose root causes stem from the unique characteristics of EOS.IO, including intentionally slowing down the block creation time—which can disrupt the essential functions of its blockchain and incapacitate the entire EOS.IO system. In addition, we find that an adversary can partially freeze the execution of a target smart contract or maliciously consume all the resources of a target user with crafted requests. We report all the identified threats to the EOS.IO foundation, one of which is confirmed to be fatal. Finally, we discuss possible mitigations against the proposed attacks.