Guido Vranken, who describes himself as “Ethereum Foundation dedicated fuzz tester,” has found eight critical vulnerabilities in EOS’ code in just one day, with four more to be confirmed.
“A couple more waiting to be rewarded. I think the final tally was $120K but I lost count. Took me about a week,” he said , referring to EOS’ bounty of $10,000 per critical bug which they describe as:
The vulnerabilities have not been publicly disclosed at the time of writing, but they are described as:
“EOSIO (EOS cryptocurrency token) 10 remote vulnerabilities TBA”
We’re not sure if this is asserts again, but if that sort of basic oversight manages to find its way into effectively live production code, then it strongly suggests the whole thing is bug ridden.
Because making such simple mistake is often a sign of incompetence, as has now sort of been confirmed by the disclosure of these 12 new bugs after just one week of work.
How many more bugs there are, and whether others will be as nice as Vranken, remains to be seen.
Emin Gün Sirer, Cornell Professor and himself a very capable haxor, had a nice short story on the dilemma one might face when weighing $10,000 in a bug reward or potentially millions of EOS tokens in a bug exploit.
Many will choose the former, but some undoubtedly will prefer the latter. Which is why open source code where cryptos are concerned is the most secure when tested by time, and the most vulnerable otherwise.
We say when tested by time because you’d think there would be some game theoretical aspects when finding a bug and being of the kind inclined to exploit it. That is, others might disclose it and have it fixed, or others might exploit it first, so money losing bugs are unlikely to stay up for long where code is concerned.
Some bugs, however, “merely” crash nodes, without changing ownership of the money itself. For those, you’d probably just take the $10,000, but if the choice is between $10,000 or $10 million, superhonestnodes would still go for $10,000, but others may not.
In short, the bug bounty needs to be raised in EOS to a million or ten million for any money losing disclosed vulnerability considering they have plenty of money and therefore can easily afford it, and considering the chances there is a money loosing bug stand at our out of thin air estimate of around 90%.
We place it so high because it looks like the code has clearly not been audited, and the one publicly disclosed bug found so far looks far too basic. With 12 more found in just one week by one individual, although clearly a very capable one, even 90% might be a low estimate.
It is of course the case that bugs are unavoidable, but not silly bugs. Those should be fixed in months of testing, audits, and so on, like we’d think in Hybrid Casper which has been in testing now for six months and will still take some more months to release.
Making it all an almost year long process just for testing, while EOS somehow coded the whole thing, tested it, audited it, in just one year. That’s, at least, what you would want to think, but the “tested it, audited it” part is very much in doubt.
Not least because we doubt they have the resources as there aren’t that many free-floating developers around, which is presumably partly why they have apparently already offered Guido Vranken a job.
We’re not sure if he accepted it, but swapping boy genius Vitalik Buterin, among many other very smart minds in eth, for Dan “serial entrepreneur” Larimer wouldn’t be a very smart move in our view, and Vranken looks smart.
In any event, all these bugs that have been revealed thankfully have not made it to live production, you’d think, because EOS has not actually launched yet. It is instead going through a testing period of 48 hours if no bugs are found.
We do not know if they have, on their own, found any such bugs. If they do, or if they can not fix the bugs revealed/found in a timely manner, they may extend the testing period.
For now, they have already launched a somewhat closed chain with EOS Canada announcing:
“We are pleased to say that yesterday around 5pm, we started receiving blocks from a community started chain. They loaded 694,947 actions into 4,550 initial blocks, honoring the contribution of everyone participating in the ERC-20 token crowdsale.
Since then, an impressive number of Block Producer Candidates have been tirelessly working to ensure all the contracts were correct, all the balances were honored properly, and all the governance texts were correct and on-chain…
We are being extra cautious in how events unfold, but I have to say that all validation, stress testing by all participating Block Producer Candidates, have passed on that chain.”
It’s unclear when exactly these 12 bugs were disclosed, but the latest time-stamp is 11 hours ago, presumably London time, making it around midnight London time. That translates to around 5PM in America, which is when the chain, currently in test mode, apparently started.
Apparently their stress testing and validation has given a pass, even while bugs are being disclosed. That’s presumably because they’re seemingly impatient:
Moreover, we find this statement somewhat interesting: “an impressive number of Block Producer Candidates have been tirelessly working to ensure all the contracts were correct.”
Otherwise said, they have seemingly already formed communication lines between block producers, presumably through some private online chat-room, lowering the barriers to any potential collusion to effectively zero as far as organizing/coordination is concerned.
You can of course argue miners talk to each other too, but Hybrid Casper will make miners less relevant and miners can’t confiscate your money unless 16,000 other nodes agree which is impossible unless there is some stupendously extraordinary event.
In EOS, they can. Obviously you’d think they won’t any time soon, but if the platform was really used, then the dictum that power corrupts will necessarily apply.
And although one can argue they would be voted out, the problem is no one might know they misbehaved. Moreover, any voting out isn’t on an if/then basis, but on rallying up the holders who might not care at all about your silly smart contract and might actually be incentivized to ignore you or play it down for fear it might affect the price.
Which means you’re left at the whims of a cartel that arguably has already colluded, leaving a world where EOS is used with the same problems we currently face, that is trusting some admin that he won’t just delete your project, or trusting some bank that it won’t just keep your money.