An ongoing exploit on EOSIO is allowing an attacker to win every roll on gambling dApp EOSPlay by paying to fill blocks with their transactions. So far, the attacker gained 30,000 EOS worth over $110,000 while making the network “unusable.”Scale of the exploit
A clever attacker was able to use REX, an EOS resource exchange for RAM and CPU, to ensure that blocks were filled with their transactions to continuously win on the gambling dApp EOSPlay. This resulted in the EOSIO network “freezing” as thousands of EOS were fed to the attacker’s wallet, as confirmed by another source.
For 300 EOS, worth a little over $1,000, the attacker was able to make away with 30,000 EOS tokens, said Jared Moore to CryptoSlate, an active community member. A look at the on-chain transactions involved confirms the attack.Transactions showing consecutive wins on EOSPlay
One anonymous smart contract developer, the creator of the ERC-233 token, stated the attack may have impacted more than just EOSPlay. The attacker appears to be leveraging multiple accounts to exploit several different smart contracts.It seems that the scale of the attack is much larger than we originally expected.These are attacker's accounts:https://t.co/wdeRVVHT4Vhttps://t.co/euC2gEncj7https://t.co/7mrpdRfGLihttps://t.co/Wsl578HVPahttps://t.co/I0aTR8OvbQhttps://t.co/7ixE6VCoLfhttps://t.co/1QIOQDfDlw — Dexaran (@Dexaran) September 13, 2019 Mechanics behind the attack
As for the method behind the attack, EOSIO Alabama explained that the billing rate for CPU resources dynamically increases on REX.“Everyone basically gets locked out unless they have more EOS staked than the attacker,” he reasoned.
In this instance, the attacker had roughly 900,000 EOS staked and allocated to CPU, seemingly preventing others from accessing the resource. The anonymous security engineer supported this theory, saying that “by congesting the network the attacker disallowed anyone to send transacti...