PDF(4095 KB)
A survey on EOSIO systems security: vulnerability, attack, and mitigation
Ningyu HE, Haoyu WANG, Lei WU, Xiapu LUO, Yao GUO, Xiangqun CHEN
PDF(4095 KB)
PDF(4095 KB)
A survey on EOSIO systems security: vulnerability, attack, and mitigation
EOSIO, as a representative of blockchain 3.0 platforms, immediately follows in the footsteps of Bitcoin and Ethereum. It has raised the largest ever initial coin offering, and its market capitalization has reached up to $14.3 billion. Innovatively, EOSIO brings adopts lots of new features, like the delegated proof of stake consensus algorithm and updatable smart contracts. Not only these features lead to a prosperity of the decentralized application ecosystem, but they also inevitably introduce loopholes. For example, EOSBet, a famous gambling DApp, was attacked twice within a single month and lost more than $1 million. To the best of our knowledge, little work has surveyed the EOSIO from a security researcher’s perspective. To fill this gap, we firstly abstract the complicated EOSIO ecosystem into components following hierarchical relationships, upon which we delve deeper for root causes of all existing vulnerabilities. We also systematically study possible attacks and mitigations against these vulnerabilities, and summarize several best practices for developers, EOSIO official, and security researchers to shed light on future directions.
EOSIO / blockchain / smart contract
Ningyu He received his BS degree at Beijing University of Posts and Telecommunications, China in 2015. He is currently pursuing a PhD in Computer Software and Theory at Peking University, China. His current research interests include blockchain security and program analysis
Haoyu Wang is a professor in the School of Cyber Science and Engineering at Huazhong University of Science and Technology, China. He received his PhD degree in Computer Science from Peking University, China in 2016. His research covers a wide range of topics in Software Analysis, Privacy and Security, eCrime, Internet/System Measurement, and AI Security
Lei Wu is an associate professor at Zhejiang University and the Co-Founder of BlockSec. He obtained his PhD from North Carolina State University, USA in 2015 and primarily focuses his research on system security and blockchain security
Xiapu Luo is a professor in the Department of Computing, The Hong Kong Polytechnic University, China. His current research interests include Mobile and IoT Security and Privacy, Blockchain and Smart Contracts, Network Security and Privacy, and Software Engineering. His work appeared in top conferences and journals, and he has received eight best paper awards, including ACM SIGSOFT Distinguished Paper Award in ICSE’21, Best Paper Award in INFOCOM’18, etc
Yao Guo obtained his BS and MS degrees, both in Computer Science, from Peking University, China in 1997 and 2000, respectively. He received his PhD in Computer Engineering from University of Massachusetts at Amherst, USA in 2007. He currently is a professor in the Institute of Software of the School of Computer Science at Peking University and served as Vice Dean of the School of Computer Science. His general research interests include operating systems, mobile computing and applications, software security and software engineering
Xiangqun Chen obtained her BS and MS degrees from Peking University, China in 1983 and 1986, respectively. She is a professor in the School of Computer Science, and has served as the Party Secretary of School of Software and Microelectronics. She has published more than 70 research papers. Her research interests currently include operating systems, software engineering, and security
| [1] |
Nakamoto S. Bitcoin: a peer-to-peer decentralized cryptocurrency system. See bitcoin.org/en/ website, 2019
|
| [2] |
Bitcoin’s market cap. See coinmarketcap.com/currencies/bitcoin/ website, 2023
|
| [3] |
coindesk
|
| [4] |
Unlimited size of blocks. See bitcoinsv.com website, 2023
|
| [5] |
Ethereum Layer-2 solution. See ethereum.org/en/layer-2/ website, 2023
|
| [6] |
Bitcoin transaction fee. See ycharts.com/indicators/bitcoin_average_transaction_fee website, 2023
|
| [7] |
Ethereum transaction fee. See etherscan.io/chart/avg-txfee-usd website, 2023
|
| [8] |
Heilman E, Kendler A, Zohar A, Goldberg S. Eclipse attacks on Bitcoin’s peer-to-peer network. In: Proceedings of the 24th USENIX Conference on Security Symposium. 2015, 129−144
|
| [9] |
Attack against Parity wallet. See blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7 website, 2023
|
| [10] |
EOSIO
|
| [11] |
He N, Zhang R, Wang H, Wu L, Luo X, Guo Y, Yu T, Jiang X. EOSAFE: security analysis of EOSIO smart contracts. In: Proceedings of the 30th USENIX Security Symposium. 2021
|
| [12] |
FRANKENFIELD J. Definition of ICO. See investopedia.com/terms/i/initial-coin-offering-ico.asp website, 2019
|
| [13] |
Rooney K. ICO of EOSIO has raised up to 4 billion USD. See cnbc.com/2018/05/31/a-blockchain-start-up-just-raised-4-billion-without-a-live-product.html website, 2018
|
| [14] |
Peak of market cap of EOSIO. See coinmarketcap.com/currencies/eos/ website, 2023
|
| [15] |
The DPoS consensus. See en.bitcoinwiki.org/wiki/DPoS website, 2020
|
| [16] |
EOSIO network monitor. See eosnetworkmonitor.io/ website, 2020
|
| [17] |
WebAssembly Official Site. See webassembly.org/ website, 2019
|
| [18] |
CRAIG RUSSO. EOSIO surpasses Ethereum in transaction volume. See web.archive.org/web/20201109031452/ website, 2018
|
| [19] |
Aurora Tech. EOSBet official site. See eosbet.io/ website, 2020
|
| [20] |
EOS
|
| [21] |
PeckShield Inc. EOSBet was attacked by Fake Recipt. See web.archive.org/web/20211019032401/blog.peckshield.com/2018/10/26/eos/ website, 2018
|
| [22] |
Chen Y. Flaw in EOS VM. See web.archive.org/web/20230929130452/blogs.360.cn/post/eos-asset-multiplication-integer-overflow-vulnerability.html website, 2018
|
| [23] |
PeckShield Inc. Inline reflex. See web.archive.org/web/20210920113641/blog.peckshield.com/2018/12/18/inlineReflex/ website, 2018
|
| [24] |
PeckShield Inc. Blogs about blockchain security events. See web.archive.org/web/20210920115915/blog.peckshield.com/blog.html website, 2020
|
| [25] |
SlowMist Zone. Blockchain security events. See hacked.slowmist.io/en/ website, 2020
|
| [26] |
Michel C. Blog site of EOSIO technology. See cmichel.io/categories/EOS website, 2021
|
| [27] |
EOSIO
|
| [28] |
Michel C. Limitation of time of executing transaction. See cmichel.io/deferred-transactions-on-eos/ website, 2018
|
| [29] |
Greg Walker. Transaction fee of Bitcoin. See learnmeabitcoin.com/technical/transaction-fee website, 2016
|
| [30] |
Emanuel Coen. Transaction fee of Ethereum. See cryptotesters.com/blog/ethereum-gas website, 2020
|
| [31] |
ewasm
|
| [32] |
Forum: Bitcoin Gambling. See forum.bitcoingambling.io/ website, 2020
|
| [33] |
Forum: Reddit EOS section. See reddit.com/r/eos/ website, 2020
|
| [34] |
BCSEC
|
| [35] |
Regehr J. Signed multiplication is undefined in c++. See blog.regehr.org/archives/213 website, 2010
|
| [36] |
Official patch for asset overflow vulnerability. See github.com/EOSIO/eos/commit/b7b34e5b794e323cdc306ca2764973e1ee0d168f website, 2018
|
| [37] |
Quan L, Wu L, Wang H. EVulHunter: detecting fake transfer vulnerabilities for EOSIO’s smart contracts at webassembly-level. 2019, arXiv preprint arXiv: 1906.10362
|
| [38] |
Huang Y, Jiang B, Chan W K. EOSFuzzer: fuzzing EOSIO smart contracts for vulnerability detection. In: Proceedings of the 12th Asia-Pacific Symposium on Internetware. 2020
|
| [39] |
Huang Y, Wang H, Wu L, Tyson G, Luo X, Zhang R, Liu X, Huang G, Jiang X. Understanding (Mis) behavior on the EOSIO blockchain. In: Proceedings of the ACM on Measurement and Analysis of Computing Systems. 2020, 1−28
|
| [40] |
SlowMist
|
| [41] |
PeckShield
|
| [42] |
Le Q. EOSDice attacked due to random number. See medium.com/leclevietnam/hacking-in-eos-contracts-and-how-to-prevent-it-b8663c8bffa6 website, 2018
|
| [43] |
Larimer D. An ideal prng prototype in eosio. See eosio.stackexchange.com/questions/41/how-can-i-generate-random-numbers-inside-a-smart-contract#answer-215 website, 2019
|
| [44] |
EOS Titan. DelphiOracle in EOSIO. See github.com/eostitan/delphioracle website, 2020
|
| [45] |
LiquidHarmony
|
| [46] |
AlgoTrader, an oracle, in EOSIO. See eosio.algotrader.com/home website, 2021
|
| [47] |
Chinen Y, Yanai N, Cruz J P, Okamura S. RA: hunting for re-entrancy attacks in ethereum smart contracts via static analysis. In: Proceedings of 2020 IEEE International Conference on Blockchain (Blockchain). 2020, 327−336
|
| [48] |
Rodler M, Li W, Karame G O, Davi L. Sereum: protecting existing smart contracts against re-entrancy attacks. 2018, arXiv preprint arXiv: 1812.05934
|
| [49] |
Michel C. EOSIO re-entrancy attack. See cmichel.io/eos-vault-sx-hack/ website, 2021
|
| [50] |
SlowMist
|
| [51] |
SlowMist
|
| [52] |
SlowMist
|
| [53] |
PeckShield Inc. Transaction congestion attack in EOSIO. See web.archive.org/web/20210920120718/https://blog.peckshield.com/2019/01/15/eos_CVE-2019-6199/ website, 2019
|
| [54] |
EIDOS official site. See enumivo.org/ website, 2020
|
| [55] |
REX official site. See eosauthority.com/rex website, 2020
|
| [56] |
Perez D, Xu J, Livshits B. Revisiting transactional statistics of high-scalability blockchains. In: Proceedings of the ACM Internet Measurement Conference. 2020, 535−550
|
| [57] |
PeckShield Inc. CPU hijacking attack in EOSIO. See peckshield.medium.com/eidos-airdrop-stifles-the-liveness-of-eosio-network-acbb8fb5ebb4 website, 2019
|
| [58] |
Sotnichek M. RAM hijacking attack in EOSIO. See apriorit.com/dev-blog/576-eos-ram-exploit website, 2018
|
| [59] |
Consensus upgrade against CPU resources. See github.com/EOSIO/eos/issues/6332 website, 2018
|
| [60] |
SlowMist
|
| [61] |
EOSIO.SG
|
| [62] |
Definition of social engineering. See webroot.com/us/en/resources/tips-articles/what-is-social-engineering website, 2021
|
| [63] |
bloks.io
|
| [64] |
eosflare
|
| [65] |
EOSIO
|
| [66] |
DApp Radar. Daily volume of gambling DApp EOSDice. See dappradar.com/eos/gambling/eosdice website, 2018
|
| [67] |
Michel C. Attack against EOSPlay. See cmichel.io/what-really-happened-with-the-eos-play-hack/ website, 2019
|
| [68] |
PeckShield Inc. Financial loss of the random number attack against EOSPlay. See web.archive.org/web/20210423161849/https://blog.peckshield.com/2019/09/16/EOSPlay/ website, 2019
|
| [69] |
Official site of Vaults.sx. See eosx.io/defi/vaults website, 2021
|
| [70] |
AAVE. Defination of flash loan. See aave.com/flash-loans/ website, 2021
|
| [71] |
Michel C. The re-entrancy attack against Vaults.sx. See cmichel.io/eos-vault-sx-hack/ website, 2021
|
| [72] |
Transaction instance of permission-less injection attack. See eos.eosq.eosnation.io/tx/ad143e3da45f7661eb4540b51d23dc6bfaa64b1de6989297f3b4e2170e17ff08 website, 2021
|
| [73] |
Official patch for inline reflex. See github.com/EOSIO/eos/releases/tag/v1.5.1 website, 2018
|
| [74] |
eosfo.io requires players’ eosio.code permission. See cloud.tencent.com/developer/news/285297 website, 2018
|
| [75] |
CHINABTCNEWS
|
| [76] |
YUSUFF O. Fake deposit in Ripple. See newslogical.com/remitano-halts-bitcoin-ethereum-trading-indefinitely-over-fake-ripples-xrp-deposits/ website, 2019
|
| [77] |
SlowMist
|
| [78] |
Mailicious rollback attack example in EOSIO. See web.archive.org/web/20230222105606 website, 2019
|
| [79] |
Example of transaction congestion. See eosq.app/block/02344b09116e94221737ae411c4ecd37f9da2778e0612a6d5f956edba9a12061 website, 2020
|
| [80] |
Hatze V. The severe result caused by EIDOS project. See dailycoin.com/2021-is-not-the-year-for-eos/ website, 2021
|
| [81] |
CoinGecko
|
| [82] |
Titan Labs. Historical price of CPU resource. See labs.eostitan.com/#/cpu-quota/?period=2019&mode=linear website, 2021
|
| [83] |
PeckShield Inc. Decrease of daily user resulted from EIDOS project. See web.archive.org/web/20210920105634/ website, 2019
|
| [84] |
RAM hijacking attack is reported by official. See bitcoinexchangeguide.com/breaking-eos-potential-eosio-ram-exploit-hack-vulnerability-solution-issued-but-large-exchanges-still-at-risk/ website, 2018
|
| [85] |
MrToph
|
| [86] |
EOS GO. Gambling DApps are extremely popular in EOSIO. See eosgo.io/blog/eos-shift-from-gambling-to-gaming-dapps website, 2019
|
| [87] |
Staff C. Re-entrancy attack in Ethereum targeting at TheDAO. See gemini.com/cryptopedia/the-dao-hack-makerdao website, 2021
|
| [88] |
Wang D, Jiang B, Chan W K. WANA: symbolic execution of wasm bytecode for cross-platform smart contract vulnerability detection. 2020, arXiv preprint arXiv: 2007.15510
|
| [89] |
Lee S, Kim D, Kim D, Son S, Kim Y. Who spent my EOS? On the (in) security of resource management of EOS.IO. In: Proceedings of the 13th USENIX Conference on Offensive Technologies. 2019
|
| [90] |
Yan Z H, Qian W, Yang Z, Zeng W, Yang X, Li A. TFFV: translator from EOS smart contracts to formal verification language. In: Proceedings of the 6th International Conference on Artificial Intelligence and Security. 2020, 652−663
|
| [91] |
Ashraf I, Ma X, Jiang B, Chan W K . GasFuzzer: fuzzing ethereum smart contract binaries to expose gas-oriented exception security vulnerabilities. IEEE Access, 2020, 8: 99552–99564
|
| [92] |
Jiang B, Liu Y, Chan W K. ContractFuzzer: Fuzzing smart contracts for vulnerability detection. In: Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). 2018, 259−269
|
| [93] |
Zhao Y, Liu J, Han Q, Zheng W, Wu J. Exploring EOSIO via graph characterization. In: Proceedings of the 2nd International Conference on Blockchain and Trustworthy Systems. 2020
|
| [94] |
Zheng W, Zheng Z, Dai H N, Chen X, Zheng P . XBlock-EOS: extracting and exploring blockchain data from EOSIO. Information Processing & Management, 2021, 58( 3): 102477
|
| [95] |
EOS Cafe Block. Potential impact of REX on EOSIO’s resource system. See medium.com/@eoscafeblock/what-rex-means-for-token-holders-238375dea397 website, 2018
|
| [96] |
EOSIO. Bug bounty program of EOSIO. See eos.io/security-vulnerabilities/ website, 2021
|
| [97] |
Lehmann D, Kinder J, Pradel M. Everything old is new again: binary security of webassembly. In: Proceedings of the 29th USENIX Security Symposium. 2020, 217−234
|
| [98] |
Hilbig A, Lehmann D, Pradel M. An empirical study of real-world webassembly binaries: security, languages, use cases. In: Proceedings of the Web Conference 2021. 2021, 2696−2708
|
| [99] |
Stiévenart Q, De Roover C. Compositional information flow analysis for WebAssembly programs. In: Proceedings of the 20th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM). 2020, 13−24
|
| [100] |
Perez D, Livshits B. Smart contract vulnerabilities: vulnerable does not imply exploited. In: Proceedings of the 30th USENIX Security Symposium. 2021
|
| [101] |
Li X, Jiang P, Chen T, Luo X, Wen Q . A survey on the security of blockchain systems. Future Generation Computer Systems, 2020, 107: 841–853
|
| [102] |
Zheng Z, Xie S, Dai H N, Chen X, Wang H . Blockchain challenges and opportunities: a survey. International Journal of Web and Grid Services, 2018, 14( 4): 352–375
|
| [103] |
Atzei N, Bartoletti M, Cimoli T. A survey of attacks on ethereum smart contracts (Sok). In: Proceedings of the 6th International Conference on Principles of Security and Trust, Held as Part of the European Joint Conferences on Theory and Practice of Software. 2017, 164−186
|
| [104] |
Praitheeshan P, Pan L, Yu J, Liu J, Doss R. Security analysis methods on ethereum smart contract vulnerabilities: a survey. 2019, arXiv preprint arXiv: 1908.08605
|
| [105] |
Chen H, Pendleton M, Njilla L, Xu S . A survey on ethereum systems security: vulnerabilities, attacks, and defenses. ACM Computing Surveys, 2021, 53( 3): 67
|
| [106] |
Wahab A, Mehmood W. Survey of consensus protocols. 2018, arXiv preprint arXiv: 1810.03357
|
| [107] |
Zheng Z, Xie S, Dai H N, Chen W, Chen X, Weng J, Imran M . An overview on smart contracts: challenges, advances and platforms. Future Generation Computer Systems, 2020, 105: 475–491
|
| [108] |
Nguyen G T, Kim K . A survey about consensus algorithms used in blockchain. Journal of Information Processing Systems, 2018, 14( 1): 101–128
|
| [109] |
Dai H N, Zheng Z, Zhang Y . Blockchain for internet of things: a survey. IEEE Internet of Things Journal, 2019, 6( 5): 8076–8094
|
| [110] |
Al-Jaroodi J, Mohamed N . Blockchain in industries: a survey. IEEE Access, 2019, 7: 36500–36515
|
| [111] |
Di Francesco Maesa D, Mori P . Blockchain 3. 0 applications survey. Journal of Parallel and Distributed Computing, 2020, 138: 99–114
|
| [112] |
Wang X, Zha X, Ni W, Liu R P, Guo Y J, Niu X, Zheng K . Survey on blockchain for internet of things. Computer Communications, 2019, 136: 10–29
|
| [113] |
Berdik D, Otoum S, Schmidt N, Porter D, Jararweh Y . A survey on blockchain for information systems management and security. Information Processing & Management, 2021, 58( 1): 102397
|
| [114] |
Huynh-The T, Gadekallu T R, Wang W, Yenduri G, Ranaweera P, Pham Q V, da Costa D B, Liyanage M . Blockchain for the metaverse: a review. Future Generation Computer Systems, 2023, 143: 401–419
|
| [115] |
Gai K, Guo J, Zhu L, Yu S . Blockchain meets cloud computing: a survey. IEEE Communications Surveys & Tutorials, 2020, 22( 3): 2009–2030
|
| [116] |
Zhou Q, Huang H, Zheng Z, Bian J . Solutions to scalability of blockchain: a survey. IEEE Access, 2020, 8: 16440–16455
|
| [117] |
Monrat A A, Schelén O, Andersson K . A survey of blockchain from the perspectives of applications, challenges, and opportunities. IEEE Access, 2019, 7: 117134–117151
|
| [118] |
Feng Q, He D, Zeadally S, Khan M K, Kumar N . A survey on privacy protection in blockchain system. Journal of Network and Computer Applications, 2019, 126: 45–58
|
| [119] |
Tasatanattakool P, Techapanupreeda C. Blockchain: Challenges and applications. In: Proceedings of 2018 International Conference on Information Networking (ICOIN). 2018, 473−475
|
| [120] |
Lee D, Lee D H. Push and pull: Manipulating a production schedule and maximizing rewards on the EOSIO blockchain. In: Proceedings of the 3rd ACM Workshop on Blockchains, Cryptocurrencies and Contracts. 2019, 11−21
|
| [121] |
Song W, Zhang W, Zhai L, Liu L, Wang J, Huang S, Li B. EOS.IO blockchain data analysis. The Journal of Supercomputing. 2022, 1−32
|
| [122] |
Zheng W, Liu B, Dai H N, Jiang Z, Zheng Z, Imran M. Unravelling token ecosystem of EOSIO blockchain. 2022, arXiv preprint arXiv: 2202.11201
|
| [123] |
Fernández-Carrasco J Á, Echeberria-Barrio X, Paredes-García D, Zola F, Orduna-Urrutia R . ChronoEOS 2. 0: device fingerprinting and EOSIO blockchain technology for on-running forensic analysis in an IoT environment. Smart Cities, 2023, 6( 2): 897–912
|
| [124] |
Fernandez-Carrasco J A, Egues-Arregui T, Zola F, Orduna-Urrutia R. ChronoEOS: configuration control system based on EOSIO blockchain for on-running forensic analysis. In: Prieto J, Benítez Martínez F L, Ferretti S, Arroyo Guardeño D, Tomás Nevado-Batalla P, eds. Blockchain and Applications, 4th International Congress. Cham: Springer, 2023, 37−47
|
| [125] |
Mokdad I, Hewahi N M. Empirical evaluation of blockchain smart contracts. In: Khan M A, Quasim M T, Algarni F, Alharthi A, eds. Decentralised Internet of Things: A Blockchain Perspective. Cham: Springer, 2020, 45−71
|
| [126] |
Shen J, Zhou J, Xie Y, Yu S, Xuan Q. Identity inference on blockchain using graph neural network. In: Proceedings of the 3rd International Conference on Blockchain and Trustworthy Systems. 2021, 3−17
|
| [127] |
He N, Su W, Yu Z, Liu X, Zhao F, Wang H, Luo X, Tyson G, Wu L, Guo Y. Understanding the evolution of blockchain ecosystems: a longitudinal measurement study of bitcoin, ethereum, and EOSIO. 2021, arXiv preprint arXiv: 2110.07534
|
| [128] |
Liu J, Zheng W, Lu D, Wu J, Zheng Z. Understanding the decentralization of DPoS: perspectives from data-driven analysis on EOSIO. 2022, arXiv preprint arXiv: 2201.06187
|
| [129] |
De Salve A, Lisi A, Mori P, Ricci L. Measuring EOS.IO DApp resource allocation and costs through a benchmark application. In: Proceedings of the 4th International Conference on Blockchain Technology and Applications. 2021, 24−30
|
| [130] |
Li L T, Zhang M. Poster: EOSDFA: Data flow analysis of EOSIO smart contracts. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022, 3391−3393
|
| [131] |
Chen W, Sun Z, Wang H, Luo X, Cai H, Wu L. WASAI: uncovering vulnerabilities in Wasm smart contracts. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 2022, 703−715
|
| [132] |
Rahman M U. Scalable role-based access control using the EOS blockchain. 2020, arXiv preprint arXiv: 2007.02163
|
/
| 〈 |
|
〉 |
AI Summary
