EOS Bug Bounty: Can you solve it?

With the recent launch of their main net, the platform EOS was Found with a bug in the system which was discovered by Qihoo 360, EOS has kept a bounty for the same.

EOS’ main net which is scheduled for launch today, went through a bug report which caused a lot of FUD(Fear Uncertainity and Doubt) in the crypto space, especially for the EOS’ stakeholders. However EOS has taken care of this issue prior to their launch of the EOS main net.

What was the bug that caused trouble in the EOS main net?

The bug that caused the issue was a Buffer out of Bounds which is an undefined variable in an array, an undefined variable can function in a strange manner, because it is not defined in the array. If this variable  is exploited, it can lead to the malfunction of the platform.

This is the graphical representation of the Buffer out of bounds due to invalid size calculation, where the red cells represent the out of bounds variables
Image Courtesy: insights.sei.cmu.edu

When these undefined variables which are represented by the red cells are executed with some code that serves a purpose, the undefined variable would act in a particular defined way, as the code would be intended to.

An exploiter gets a chance to exploit this part and can add functionality to the undefined variable according to his/her will.

EOS’ Bounty Program

Block.One an open source software publisher specializing in high-performance blockchain technologies had the following statement briefed in the article,”Block.one is excited to engage the developer community to help us to continue to secure the integrity of the EOSIO software. As a result, we’ve launched the EOSIO Bug Bounty Program in partnership with the leading ethical hacker-powered security platform, HackerOne. This on-going program will harness the collective intelligence and capabilities of the Block.one Engineering team and leading security researchers via HackerOne’s user-friendly interface.”

The Bounty Program which is organized by HackerOne seems to have no bounty paid till now, and the bounty amounts to $10,000, seems pretty good for a bug fix right!

But it ain’t that easy, developers are checking for how can such vulnerabilities can be rectified and how the platform can effectively run without such bugs, which are way too difficult to find, because irrespective of the bug the platform would be up and running, it is a matter of time until someone discovers it and starts exploiting it.

A brief of what you would have to do, there will be a link at the end of the article, this part of the article is for someone who wants to know the full technical part of the Bounty kept by EOS:

This is the list of the Qualifying Vulnerabilities:

Qualifying vulnerabilities

Only the following design or implementation issues that substantially affect the stability or security of the project is in scope for the program. Common examples include:

  1. Cause nodeos to crash via the P2P plugins (net_plugin or bnet_plugin)
  2. Cause nodeos to crash via the HTTP RPC API (http_plugin) with Patroneos protection
  3. Send a contract into an infinite loop
  4. Cause a contract to use large amount of memory (more than 64MB)
  5. Crash nodeos with a contract
  6. Trigger unauthorized actions on accounts
  7. Cause a contract to run for more than 10 ms over deadline

Here are the links to the leads of the Bounty and all that you would need to know:

Calling all Devs: The EOSIO Bug Bounty Program is Live

EOSIO Bug Bounty Program

Bounds checking

Hope you liked this article, and do share it with your Crypto-friends!!

Disclaimer: The opinions presented here are of the Authors. Readers should do their own due diligence before taking any actions related to the promoted company or any of its affiliates or services. CoinScenario.com is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in the press release.

Spread the love
  • 6

Leave a Reply