Tthe launch of the mainnet of EOS was delayed due to a critical bug found by China-based cybersecurity firm Qihoo 360. Emin Gün Sirer, a professor at the prestigious Cornell University, criticised EOS developers for not seeking assistance from consensus protocol experts.
Even after the mainnet launch, Sirer and other cryptocurrency experts including smart contracts pioneer Nick Szabo condemned EOS for its code and centralization issues.
Sirer Said EOS Problems Will Get Worse
In an official report in May, Qihoo 360 shared its conversation with EOS chief technical officer Daniel Larimer, disclosing the EOS out-of-bound write vulnerability. According to the Qihoo 360 team, the vulnerability enables hackers to exploit and compromise the EOS Supernode.
“We found and successfully exploited a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file. To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and taken control of it. After taken control of the nodes server, attacker could then pack the malicious contract into new block and further control all nodes of the EOS network,” said the Qihoo team.
The report from Qihoo 360 added that the team initially discovered the vulnerability on May 11 and exploited it on May 28. Qihoo 360 disclosed the vulnerability to the EOS team, which then “fixed” it and closed the issue on Github. However, on May 29, Qihoo 360 discovered that the vulnerability was not completely fixed and thus released its report to the public.
The vulnerability in the codebase of EOS left the blockchain network open to harsh criticism, primarily because EOS was expected to launch its mainnet on June 2, within the next five days.
Sirer, a renowned cryptocurrency researcher and Cornell University professor, stated that the situation of EOS “will get worse,” and emphasised that the bug bounty system created by EOS is not practical in finding conceptual or structural errors with the protocol.
“The EOS bug bounty is designed to catch simple coding errors, not conceptual errors with the protocol. EOS friends, did you get any help from an expert on consensus protocols? You know not to roll your own crypto. Why are you rolling your own consensus protocol? This is like not inventing your own scalpel, but then going ahead with brain surgery,” Sirer noted.
EOS Centralization Issue
Soon after its controversial mainnet launch, EOS developers received criticism from Szabo, who stated that the centralized aspect of EOS leaves the project vulnerable to attacks and various security holes.
“In EOS a few complete strangers can freeze what users thought was their money. Under the EOS protocol you must trust a ‘constitutional’ organization comprised of people you will likely never get to know. The EOS ‘constitution’ is socially unscalable and a security hole,” Szabo said.
The statement of Szabo referred to the ability of EOS to confiscate and suspend accounts after inactivity, which leading EOS block producer candidate EOS New York previously explained in an interview with The Next Web.
But, even Rick Schlesinger, the co-founder of EOS New York, said that users should scrutinize EOS over the controversial account suspension process.
“I do think the community is going to scrutinize [Article XV] closely (as they should). This is why we’re here – to experiment with this nascent technology and learn about how a governed blockchain can respond to the community’s will,” Schlesinger said.