EOSRescuer: Rescuing High-Risk EOS Accounts
As the largest ICO in history, EOS is touted as the most competitive candidate of next-generation blockchain systems and has naturally attracted great attention world-wide. Among all the buzz about EOS, the security aspect of EOS is one of the most controversial topics.
In this blog, PeckShield researchers take a close look at a key component of EOS, i.e., EOS accounts. Especially, we are interested in understanding the way how the EOS accounts are generated by existing tools . We are surprised to find that certain EOS accounts are readily vulnerable to being compromised and the corresponding digital assets are seriously under the risk of being stolen. For simplicity, we call these affected accounts as high-risk EOS accounts. In order to mitigate the issue and protect high-risk EOS users, PeckShield is now launching a public service dubbed EOSRescuer .
In the following, we would like to go through the details of this particular security issue, and make a disclosure of vulnerable accounts list covered by EOSRescuer.
The essence of the risk is caused by an improper use of third-party EOS key-pair generation tools, including but not limited to EOSTEA . With user-provided seeds, these tools greatly facilitate users to generate their EOS key pairs. Unfortunately, if a simple seed is chosen (by the user) and allowed (by the tool), the generated keys might be exposed and exploited by launching the rainbow table attack (or dictionary attack) .
To rescue these high-risk EOS accounts that are vulnerable to rainbow attacks, we choose to first create a secure EOS account, and then make a makeshift arrangement by choosing to transfer the EOS balances from vulnerable accounts to this secure one. Next, we will return transferred EOS balances back to original users (after verifying their authentic account ownerships) in a transparent and verifiable way. Meanwhile, every EOS holder is encouraged to check her account by querying EOSRescuer (https://peckshield.com/eosrescuer). If the account is labeled in danger, please contact us ASAP. In order claim back your balances covered by EOSRescuer, please provide enough information to prove your ownership on the accounts, such as necessary official activity record of the account. This entire process is transparent and free, and should be subject to third-party media inquiry or audit.
We have so far finished part of the action of rescuing certain victim EOS holders’ balances. The related information are listed in the following:
We highlight that this effort is still in progress. And EOS holders are always encouraged to re-query EOSRescuer  for the latest result. DONT WORRY if your account is labeled, all you need to do is to contact us (by sending email to [email protected]) with a proof indicating that you are indeed the owner of that EOS account. Also, if you have chosen a weak mnemonic, please definitely choose a stronger one to re-generate a new EOS key-pair and then follow the guideline  to change your private key for your EOS account.
PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.
-  An “In-the-Wild” Victim Report about EOS Key Attack (in Chinese), June 18, 2018
-  EOSRescurer: Rescuing High-Risk EOS Accounts, July 10, 2018
-  EOSTEA: https://github.com/eostea/eos-generate-key, Last visited on July 10, 2018
-  Rainbow table attack: https://en.wikipedia.org/wiki/Dictionary_attack, Last edited on May 2, 2018
-  Changing the private key for an EOS account: https://medium.com/@cc32d9/changing-the-private-key-for-an-eos-account-58a79dc385cd, June 17, 2018
- EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds
- GitHub - Dappub/fairdicegame: open-sourced, rig-resistant and verifiably fair dice game
- AWS Security Primer
- Permanent account takeover on Yahoo’s Small Business platform
- A critical Improper Authentication vulnerability in Uber allowed password reset for any account