A serious new bug has been discovered in the code of EOS, the fourth largest altcoin, leaving any user who makes a transaction vulnerable to theft of their RAM.
Instead EOS was pushed online quickly, and a bounty program was instituted to sort out issues as they were discovered. Soon after the launch of the EOS main net, the project made news when a single user claimed its bug hunting bounty 12 times in a week.
RAM Hunting Bug
Now a new bug has been found that allows recipients of transactions on the network to steal RAM from senders.
This is accomplished by use of malicious code on the recipient’s end, which allows them to add table rows to the transactions of users who are sending them tokens and filling those rows with garbage data. In other words, users must initiate transactions themselves in order to leave themselves vulnerable.
The bad news is, smart contracts are vulnerable too, and in any case, with no transactions, the network does nothing.
A permanent solution is in the works, so it is unlikely this bug will cause the project any lasting damage. In the meantime users are encouraged to send transactions through proxies – that is, to set up a second account, and funnel all transactions through that.
Why steal RAM?
The architecture of the EOS network is constituted in such a way that users need to use the RAM built into the network to execute decentralized apps and smart contracts. And that RAM is limited.
Originally limited to 64 GB of RAM for the whole network, that amount is now slowly being increased. However it is still limited, and users have taken to trading it like any other scarce resource. At the moment of writing, one kilobyte of RAM is valued at roughly $0.12.
Currently the demand for actual applications is much less than the amount available, however speculation has raised the price considerably. It is hoped that as the demand increases, RAM will cease to be the focus of speculation and allowed to flow where it is needed.