Thieves have created 1 billion EOS based tokens, ironically also named EOS, in order to purchase a number of tokens from Newdex, a decentralised exchange. Since the EOS tokens we’re fake and have no value, the hackers managed to lift around $58,000 worth of BLACK, IQ and ADD tokens from Newdex. According to The Next Web, Newdex have confirmed the hack in an official statement:
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large buy orders. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ and ADD.”
Because of this, no real value has been pumped into the exchange, instead, the fake EOS tokens are ‘dead money’. This in turn means that users of Newdex are left pick up the pieces and that many have been left out of pocket as a result of this. Newdex are yet to comment on how they plan on compensating their customers.
In order to ensure the legitimacy of their tokens, the hackers then seem to have gone on to exchange their stolen BLACK, IQ and ADD tokens for legitimate EOS tokens, according to The Next Web:
“The thieves eventually traded the collection of tokens for real EOS cryptocurrency. Newdex later revealed the attackers managed to siphon 4,028 real EOS (approximately $20,000) to cryptocurrency exchange desk Bitfinex. Ultimately, it’s the Newdex dApp users left to suffer losses, which amount to roughly $58,000.”
How was this allowed to happen?
The problem is of course vulnerabilities within Newdex that have allowed the hackers to withdraw with this, however, part of the nature of EOS is also partly to blame. Simply put, anyone can create a token on EOS (in the same way users can create Ethereum tokens), however, the EOS tokens allow users to name them whatever they want. In this instance, the use of the name EOS is what seems to have fooled Newdex. Moreover, Newdex don’t use smart contracts, this is the vulnerability that allowed the fake EOS tokens to be authorised. With no smart contract system in place to confirm the authenticity of transactions, it’s actually been a bit of a free for all for the hackers.
Why don’t Newdex run smart contracts?
According to The Next Web:
“This is because its developers appear to be leveraging the hype surrounding decentralized exchanges (DEX), by dressing itself up as one. In reality, it’s just a single user account handling trades under the guise of being an asset exchange – pretty centralized, if you ask me. What’s worse, it appears that it is using the exact same key for both its owner and active permissions. This creates a single attack vector that is easily exploitable. For reference, most exchanges at least use multi-sig wallets. It seems in this instance, the keys weren’t the target – just the gaping security holes left by token exchange developers too negligent to even program a smart contract to protect users.”
This fascination around ‘decentralisation’ is causing vulnerabilities in decentralised exchanges, vulnerabilities that will prove to be dangerous, as we have seen in the case of Newdex. Hopefully the company will be held accountable for this and will be forced to issue some form of compensation. For now though, it seems they are only intent on issuing an apology and nothing more.