Sluggish haze safety team warns of EOS account safety and security risk. The team mentioned that the EOS purse developer strictly judges the node confirmation (at least 15 confirmation nodes) to inform the user that an account has actually been effectively developed. If it not correctly judged then a phony account strike might occur.
How does the attack take place?
The assault can occur when a user utilizes an EOS wallet to register an account and also the purse motivates that the enrollment succeeds, yet the judgment is not strict, the account significance is not registered yet. User utilize the account to take out money from a purchase. If any type of part of the procedure is destructive, it could create the customer to withdraw from an account that is not his own.
How to defend against the attack?
Survey the node and also return the irreparable block details then prompt the success. The certain technological process consists of: push_transaction to obtain trx_id, request user interface POST/ v1/history/get _ purchase and in the return criterion, block_num is less than or equal to last_irreversible_block, which is permanent.
Recently, a blockchain protection company, PeckShield lately examined the safety and security of EOS accounts and discovered that some individuals were using a secret trick to major safety dangers. The found that the primary cause of the trouble is that the part of the secret key generation device allows the customers to utilize a weak mnemonic mix. And also, the secret key that’s generated this way is much more prone to “rainbow” attacks. It can also result in the theft of electronic properties.
PeckShield created, “The essence of the risk is brought on by an inappropriate use of third-party EOS key-pair generation tools, including but not restricted to EOSTEA. With user-provided seeds, these tools considerably assist in customers to create their EOS trick sets.”
They also included a remedy stating, “… if a straightforward seed is selected (by the customer) and allowed (by the tool), the generated secrets could be exposed and exploited by launching the rainbow table attack (or thesaurus assault).” They discussed in their blog site that in order to secure affected holders, PeckShield will be releasing a public service known as EOSRescuer.