Open in app

Sign in

Write

Sign in

SlowMist: Security Risk Alert — EOS Fake Account (Released in 2018)

SlowMist
2 min readMay 8, 2023

--

Security Risk Alert — EOS Fake Account: SlowMist Security Team reminds that if EOS wallet developers do not strictly verify node confirmations, such as requiring at least 15 confirmation nodes before informing users that the account has been successfully created, then fake account attacks may occur.

Attack Illustration:

1. A user registers an account (e.g., aaaabbbbcccc) using a certain EOS wallet, and the wallet indicates successful registration. However, due to lax verification, the account has not actually been successfully registered.

2. The user immediately uses this account to withdraw funds from an exchange.

3. If a hacker acts maliciously at any stage in this process, they can potentially register the aaaabbbbcccc account before the user does, causing the user to withdraw funds to an account that is no longer his.

Defense Suggestions

Poll nodes and return irreversible block information before indicating success. The specific technical process is as follows:

1. After push_transaction, you will get trx_id.

2. Make a POST request to API /v1/history/get_transaction.

3. If the block_num in the returned parameters is less than or equal to last_irreversible_block, it is considered irreversible.

Acknowledgments

Huobi, for providing threat intelligence.

MORE.TOP wallet, for providing defense technical details.

WTF Wallet Technical Working Group, for communication.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

Security
Blockchain
Hacking

--

--

SlowMist
SlowMist

Written by SlowMist

3.4K Followers
6 Following

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams