Misconfigured EOS Nodes May Expose Private Keys

Attackers are trying to find nodes with this vulnerability
30 May 2018   1238

Attackers scan the Internet in search of EOS nodes, which can distribute their private keys because of an incorrectly configured API, writes Bleeping Computer.

As reported by the GreyNoise, scanning began on Tuesday, and all suspicious activity comes from the IP address

GreyNoise Inteligence Twitter
GreyNoise Inteligence Twitter

Scanning began a few hours after the publication of the Chinese company Qihoo 360, which reported a "series of huge vulnerabilities" in the EOS software that allow remote code execution on the nodes and cause a number of undesirable consequences. However, it seems that last attack doesn't have relation to it.

However, it is directly related to the report published a week ago on GitHub, which talks about the problem at the endpoint of the EOS RPC API, which leads to the disclosure of private keys to EOS accounts.

According to the report on GitHub, the authentication system that would protect the endpoint of this API does not exist, and the information is transferred to the network through the public interface of the EOS node.

Obviously, the attack organizer got acquainted with the report on GitHub and is now trying to find the nodes whose owners have not taken the necessary measures to ensure their security.

Nevertheless, the situation is not as critical as it may seem. As one EOS developer said, this API endpoint is not a standard element of the EOS API and is only included in the wallet_plugin file. This plugin is used for tests, that is, in practice a very small number of nodes will use it when connecting directly to the Internet, and, as a rule, it does not start on working nodes.

In any case, all owners of EOS nodes who have not yet done so must disable the plug-in on their working nodes and use another method for processing private keys.

Earlier, EOS developers reported that they eliminated the discovered vulnerability Qihoo 360, adding that it was not as serious as the Chinese company wrote about it.

Block One to Issue EOS Resource Allocation Model

The team decided to make this proposal after the recent incident, when during the EIDOS airdrop there were issues accessing REX
24 December 2019   232

Block.one, the company behind the development of the EOSIO blockchain, has published an official proposal to change the current system for allocating CPU resources on the EOS network, according to which users will rent them for a 30-day period.

In November against the backdrop of the EIDOS airdrop, during which users used CPU resources to receive free coins, there were problems with access to the REX CPU resources exchange. At the same time, the cost of resources soared by more than 100,000%. This situation pushed the team to create this proposal.

The REX exchange allows you to stake EOS coins to provide resources owed to users to other users in exchange for a reward.

According to the project’s blog, the current resource allocation system is designed in such a way that most of them, despite high demand, remain unused. Because of this, the EOS network cannot fully realize its potential in terms of performance.

So, during the mentioned incident in November, REX processed about 30% of the resources, and when they were exhausted, a very small part of the remaining 70% was used. This, developers write, is also confirmed by the fact that the blockchain bandwidth was less than half used.

Under the new proposed system, a user will pay a resource rental fee via a smart contract to be granted 30 days worth of CPU/NET from the total supply. After 30 days the rental must be renewed and pricing is automatically adjusted using a market based mechanism, based on changes in supply and demand for CPU/NET resources.


Block.one Team

Block.one representatives say that users will still be able to steak EOS coins in the new system, but instead of resources, compensation will be in the form of commissions from auctions for the sale of EOS domain names, RAM and rental income CPU / NET.

The objective of proposing a transition from a resource entitlement model to a leasing or rental model is to remove the influence of speculative markets over resource pricing. Introducing a rental market with pricing based on overall resource utilization will make resource allocation more predictable and reliable for the community.


Block.one Team

The proposal provides that as the available resources decrease, the rental price should increase. The transition itself should be gradual with the progressive transfer of resources from the old REX implementation to the new one.