Qihoo 360, China’s largest internet security company, said that it had identified a high-risk security vulnerability on the EOS network. The bug was fixed around 24 hours later by EOS today, though both parties seem to disagree what really happened and how serious the flaw was.
In a statement, Qihoo 360 confirmed the security vulnerability at 1PM yesterday and subsequently reported the security flaw to the EOS development team at 10PM the same day. EOS repaired the security issue by 2PM today, according to announcements from both companies.
"It is a good thing that a big Internet company like Qihoo 360 is finding security flaws in a blockchain project, which I suspect could only benefit EOS in raising its public awareness," said a blockchain professional anonymously. "But we cannot rule out the possibility that this could be an event designed to promote Qihoo 360 itself."
Another person intimately connected with EOS said that the security bug is exaggerated and will not impact the launch of EOS mainnet. Some media reports speculated that the security vulnerability could delay the launch of EOS mainnet, which is scheduled for June 1.
According to Qihoo 360, the security problem is "on an epic scale", and could be used to repackage a malicious contract into a new block, which would then cause all full nodes in the network to be controlled remotely. This could be catastrophic to the EOS network, claims Qihoo 360.
"Since the system of the node is completely controlled, the attacker can ‘do whatever it wants’, such as stealing the key of the EOS super node, controlling the virtual currency transactions of the EOS network; and acquiring other financial and privacy data in the EOS network participating node system — such as a user’s key stored in the wallet, key user profiles, privacy data, and more," stated Qihoo 360.
The EOS team, however, believes that the security vulnerability is nothing as serious as claimed by Qihoo 360. Roshan Abraham, the Head of Technology at EOS block production candidate EOS Authority, stated that "The virtual machines (VM) used in EOS is web assembly. Web assembly is actively developed by Google, Microsoft and other major companies. It is highly unlikely to have (VM) issues. It is most likely to be a specific issue with nodes."
"This is really epic self-promotion, not epic security flaws," said the person connected to EOS who is not authorized to speak publicly.
EOS aims to build an infrastructure for decentralized applications supporting industrial-scale applications, with claims to eliminate transaction fees and also conduct millions of transactions per second. Block.one, the company behind EOS, completed EOS token offerings in 2017 raising over US$700 million.