Slow fog security team warns of EOS account safety and security danger. The team stated that the EOS budget programmer purely judges the node verification (a minimum of 15 confirmation nodes) to notify the user that an account has actually been successfully produced. If it not effectively evaluated after that a fake account strike might happen.
How does the attack take place?
The assault could happen when an individual makes use of an EOS wallet to register an account and the wallet motivates that the registration achieves success, but the judgment is not strict, the account essence is not registered yet. Individual utilize the account to take out cash from a deal. If any kind of part of the procedure is malicious, it could cause the user to withdraw from an account that is not his very own.
How to defend against the attack?
Survey the node and return the irreversible block information then trigger the success. The details technological process includes: push_transaction to obtain trx_id, demand user interface MESSAGE/ v1/history/get _ transaction and also in the return criterion, block_num is less than or equal to last_irreversible_block, which is irreversible.
Lately, a blockchain security firm, PeckShield lately evaluated the security of EOS accounts and also discovered that some customers were using a secret trick to serious safety and security threats. The discovered that the primary source of the problem is that the part of the secret trick generation device allows the users to use a weak mnemonic mix. And also, the secret trick that’s generated this way is much more prone to “rainbow” strikes. It could even bring about the burglary of digital assets.
See additionally: How you can decrease the cost of EOS RAM? Dan Larimer shares a three-step strategy
PeckShield wrote, “The essence of the danger is brought on by an inappropriate use of third-party EOS key-pair generation devices, consisting of but not limited to EOSTEA. With user-provided seeds, these tools greatly facilitate customers to create their EOS key sets.”
They also added an option saying, “… if an easy seed is selected (by the customer) and also enabled (by the device), the created secrets could be subjected as well as exploited by releasing the rainbow table attack (or dictionary attack).” They mentioned in their blog site that in order to protect affected owners, PeckShield will be launching a civil service known as EOSRescuer.