/biz/ - Business & Finance

File: 3 KB, 300x168, eos.png [View same] [iqdb] [saucenao] [google]

Anonymous Fri Jun 15 02:21:45 2018 No.9896909 [Reply] [Original]

Very interesting EOS security analysis by a Chinese BP candidate. It's kind of hard to read because of poor English, but he makes a lot of good technical points.

>1st Problem: EOS proposes a resource-based mortgage model, but the implementation is far away from its original expectation. The public chains already in operation all use fee-based model.
What he means is that because the bandwidth generated from staking EOS decays fast (3 days afaik) it's therefore nearly worthless, so if you don't need it for something you may as well spam at no cost to you. The problem is that you can spend three days worth of bandwidth in few minutes, which theoretically gives you right to access much more resources that physically exist. In effect, a relatively small account can DOS the entire network for several minutes for free.

>2nd Problem: EOS has a root user, which means that the super-privilege can be authenticated without a private key. Besides accounts that start with the characters eosio. are all quasi-super-authority accounts (there is already eosio now). This goes against the sacred inviolability of personal assets under the protection of private keys in the basic function of blockchain philosophy.
If that's true it means eos is even more centralized than anyone expected. Huh.

>3rd Problem: The design structure of the transaction is too complicated You can see the complete EOS block data we have extracted.
Here he basically says that not enough has been done and due to complexity there's high risk of bugs.

https://www.reddit.com/r/eos/comments/8qqinu/highrisk_security_vulnerabilities_left_unchecked/

Anonymous Fri Jun 15 02:27:25 2018 No.9896948

>>9896909
>4th Problem: EOS queries such as get table query interface can not specify keyword query in batches [..] However, many of the query interfaces in these modules can only be queried in batches. When the data is small, it is acceptable. But when there are a million tps, such a query allow basically no machine to meet the need.
A detailed argument about a complex implementation detail, basically saying that the current version has an exploitable DOS.

>5th Problem: The faucet plugin in EOS has been deprecated for a long time and it's broken now. This plugin allows users to register a user name through a third party.
meh

>6th Problem: The instability of chainbase database. For instance, you could call the interface of chainbase and store the same data twice, then the program could core dump. The multiIndex table in the EOS contract also utilized chainbase. When you modified the different columns of the same row in a table, only the last update will be successful.
Second report of a bug, this time something that crashes the node.

>7th Problem: EOS wasm-jit was a direct fork of Andrew Scheideckers code for the past two years, as well as a fork of the official webassembly. There are so many bugs within which requires large-scale testing.
General, related to (3)

>8th Problem: EOS has no world state. If you want to know whether the chain has been forked, the only avaliable approach is the block-level verification.
Another complex implementation argument, but this one I don't understand fully.

>9th Problem: Unstability of mongodb, sql plugin. The mongodb plugin works before. After a while, they want to abandon mongodb and replace it with sqldb plugin. However, this change is deadly for eco-developers.
meh

Anonymous Fri Jun 15 02:30:52 2018 No.9896976

>>9896909
>Block.one has always stressed officially that it will not be responsible for the security of EOS mainnet. EOSForce.io has done a lot of testing and repair of the significant risks inherent in EOSIO. No one dare to say that it is 100% safe at the moment.

All in all, it seems that EOS was absolutely not ready to launch. Given these problems it's very likely that major problems are going to publicly emerge very soon, like the network crashing completely.

>>	Anonymous Fri Jun 15 04:08:05 2018 No.9897615 >>9896976 >All in all, it seems that EOS was absolutely not ready to launch. No shit. It's been flawed from the very beginning

>>	Anonymous Fri Jun 15 04:20:14 2018 No.9897698 >>9896976 It's a complete mess I can't understand why so many people are trusting EOS with their money

Advanced search
Text to find
Subject [?]Search by post subject. Leave empty for any.
Username [?]Search for user name. Leave empty for any user name.
Tripcode [?]Search for tripcode. Leave empty for any.
Email [?]Search by email. Leave empty for any.
Filename [?]Search by image filename. Leave empty for any.
From Date [?]Enter what date to start searching from. Format is YYYY-MM-DD
To Date [?]Enter what date to start searching until. Format is YYYY-MM-DD
Image hash
Search in	All Posts OPs Only
Deleted posts	Show all posts Show only deleted posts Only show non-deleted posts
Internal posts	Show all posts Show only internal posts Show only archived posts
Order	New posts first Old posts first
Capcode	All Posts Only by Users Only by Mods Only by Admins Only by Developers
Results	Posts Threads
Action	[ Simple ]