If you think your tokens are safe in an exchange, you are wrong. If you think trading through an exchange is safe, you are wrong again. If an exchange claims it is decentralized, well it doesn’t mean it really is. So why am I bitching about this again? Well, partly because crypto security is an evergreen topic and partly because somebody somehow exploited exchange vulnerabilities once again.
Pssst, kid! Wanna buy some EOS?
It seems like EOS troubles have no end. The startup did raise $4 billion from institutional investors to challenge Ethereum and virtually every couple of days we see hackers chewing off bits of EOS and spitting them in investors’ faces.
The EOS protocol allows everyone to create a token and name it whatever they like. Yes, “EOS” is just the perfect name and it’s free, ya know. Thanks to this smart move from the real EOS engineers, the baddies “developed” an EOS-based token, named it “EOS” and flooded one particular “decentralized” exchange with copycats. One billion fake tokens to be exact. And do you know what’s worse? By the end of the perfectly staged attack, the culprits smuggled some $58,000 from ordinary traders.
Probably, this is the most hackless hack in the history of hacks and here’s why. The bad boys never really had to hack the exchange, because it doesn’t utilize smart contracts and it is not even decentralized. They purchased some altcoins with their fake EOS tokens and then exchanged them for the real EOS equivalent, which they siphoned through Bitfinex.
Newdex (the “hacked” marketplace) said in a statement:
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”
Thanks, Captain Obvious! Now, since there is no smart contract to verify the authenticity of the tokens it receives, anyone can send anything and fool the system. In other words, Newdex is not a decentralized exchange. It is just a single account that conducts the transactions, pretending to be an asset exchange. Ha-ha-ha, very smart. It turns out traders were just sending money to a personal EOS account, hoping it would settle their transactions accordingly.
In fact, the crypto community smelled something wrong is going on days before the attack:
“Unlike a real DEX, they do not have a smart contract that holds funds / handles order matching on-chain. Instead, they match all orders off-chain in a centralized server. […] What’s worse, they deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality, you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it. […]This means there’s no smart contract or ABI on that account. Essentially all you are doing when you submit an order from their interface is sending your funds to their personal EOS account and hoping they return you the tokens you’re buying/selling.”
Well, I have nothing more to add, this whole fiasco has really blown me away. And remember, stay off of Newdex.