1 Billion Fake EOS Tokens Used To Steal $58k From Decentralised Exchange
Thieves have fabricated 1 billion EOS based tokens, ironically also named EOS, in order to purchase a number of tokens from Newdex, a decentralised exchange. Since the EOS tokens weâre fake and have no value, the hackers managed to lift around $58,000.00 worth of BLACK, IQ and ADD tokens from Newdex. According to The Next Web, Newdex have confirmed the hack in an official statement:
âEOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large buy orders. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ and ADD.â
Because of this, no real value has been pumped into the exchange, instead, the EOS tokens are âdead moneyâ. This in turn means that users of Newdex are left pick up the pieces and that many have been left out of pocket as a result of this. Newdex are yet to comment on how they plan on compensating their customers.
In order to ensure the legitimacy of their tokens, the hackers then seem to have gone on to exchange their stolen BLACK, IQ and ADD tokens for legitimate EOS tokens, according to The Next Web:
âThe thieves eventually traded the collection of tokens for real EOS cryptocurrency. Newdex later revealed the attackers managed to siphon 4,028 real EOS (approximately $20,000) to cryptocurrency exchange desk Bitfinex. Ultimately, itâs the Newdex dApp users left to suffer losses, which amount to roughly $58,000.â
How was this allowed to happen?
The problem is of course vulnerabilities within Newdex that have allowed the hackers to get away with this, however, part of the nature of EOS is also partly to blame. Simply put, anyone can create a token on EOS (in the same way users can create Ethereum tokens), however, the EOS tokens allow users to name them whatever they want. In this instance, the use of the name EOS is what seems to have fooled Newdex. Moreover, Newdex donât use smart contracts, this is the vulnerability that allowed the fake EOS tokens to be authorised. With no smart contract system in place to confirm the authenticity of transactions, itâs actually been a bit of a free for all for the hackers.
Why donât Newdex run smart contracts?
According to The Next Web:
âThis is because its developers appear to be leveraging the hype surrounding decentralized exchanges (DEX), by dressing itself up as one. In reality, itâs just a single user account handling trades under the guise of being an asset exchange â pretty centralized, if you ask me. Whatâs worse, it appears that it is using the exact same key for both its owner and active permissions. This creates a single attack vector that is easily exploitable. For reference, most exchanges at least use multi-sig wallets. It seems in this instance, the keys werenât the target â just the gaping security holes left by token exchange developers too negligent to even program a smart contract to protect users.â
This fascination around âdecentralisationâ is causing vulnerabilities in decentralised exchanges, vulnerabilities that will prove to be dangerous, as we have seen in the case of Newdex. Hopefully the company will be held accountable for this and will be forced to issue some form of compensation. For now though, it seems they are only intent on issuing an apology and nothing more.
The Next Web