Hackers have flooded the Newdex decentralized exchange with fake EOS tokens in an attempt to steal thousands worth of cryptocurrency. This has been the second time this week when EOS made headlines for the wrong reasons.
Nearly $58,000 were taken from the Newdex exchange when hackers discovered and used to their advantage a security flaw. Hard Fork reported that the cybercriminals deceived the exchange into believing that a fake token was actually real. The hackers made new EOS tokens that they called ‘EOS’ and used them to steal BLACK, IQ, and ADD tokens from the platform.
Newdex confirmed that the hack occurred and released the following statement:
“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large buy orders. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”
The fake EOS tokens were then exchanged with real ones that were subsequently transferred to Bittrex according to Newdex.’s sayings The hackers managed to take 4,028 EOS tokens worth around $19,450 at current values. The total sum lost by the exchange’s users is estimated to be around $58,000. The exchange has not released if the hack victims will be reimbursed or not.
The vulnerability comes from the EOS platform letting anyone create a token and naming it however they want, even ‘EOS’. Furthermore, Newdex does not employ smart contracts so the authenticity of the tokens could not be verified.
Regarding the way single user accounts can act as exchanges on the DEX, the EOS community said the following:
“They deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it.”
Without a smart contract to verify the issued tokens, users can send any kind of tokens to an EOS and expect for them to execute them. According to Hard Fork, they used the exact same key for both its owner and active authorizations. This led to an attack that may have been avoided if the exchange utilized mulit-signature wallets like the rest.
Last week EOS was the victim of another smart contract breach when the EOSBet dApp was hacked, in which $220,000 worth of cryptocurrencies were stolen. These latest attempts show us that hackers are relentless in their search for ways to exploit the vulnerabilities of trading platforms and exchanges.