The promise of decentralized crypto exchanges is that their security is beyond reproach, but as was witnessed with a recent hack, some of them are not fulfilling their promises. Newdex, a decentralized crypto exchange, was recently hacked in an attack that did much more than just lead to the loss of $58,000 worth of tokens. Even more appalling were the gross vulnerabilities that were exposed by the attack, one of which was the entire lack of smart contracts on the platform.
Flooding The Platform
The attackers orchestrated the attack by first creating 1 billion EOS-based tokens which they then flooded the exchange with. The tokens, which the attackers named EOS to confuse the other users, were released into the platform and used to make legitimate transactions of other tokens, key among them ADD, IQ and BLACK tokens.
As revealed by one report, the attackers first tested the feasibility of the attack before they began placing large orders. Quoting a statement made by the exchange regarding the hack, the report stated that the attackers placed a total of 11,800 fake EOS orders to purchase the other tokens, most of them very large in size.
The attackers also managed to trade some of the fake EOS tokens with real ones, with the exchange disclosing that the attackers made away with at least 4,028 real EOS tokens. At the current market rate, that stash is worth just over $20,000. The real EOS tokens that the attackers made away with were transferred to accounts held at Bitfinex exchange.
Overall, the losses incurred by the users are estimated to stand at $58,000. Newdex has since then apologized to the affected users via a statement but according to the report, it has no immediate plans of compensating any of the users.
The attack exposed some major vulnerability both with EOS and the Newdex exchange, one of which is the lack of application of smart contracts in the platform. Had there been a smart contract on the Newdex wallets, the fake EOS tokens would have been easily detected and the attack thwarted even before it began. However, the exchange seemed to solely rely on the good conduct of the users, believing that none of them could do anything to compromise the platform. Making the matter worse, the security vulnerability accompanying the lack of smart contracts had been discovered by some of the users on Reddit a week before the attack. The user who discovered it warned against using the exchange stating:
“Alternatively, if their key is compromised then the funds are as good as gone because again this is just a simple EOS account holding the exchange funds and anybody with their active key can drain the account.
Another vulnerability shed a light on by the attack is the ease with which attackers can create EOS tokens provided they have an EOS account. The newly-created tokens can be given any name the attackers please and in this case, they went with EOS which confused many users.
Disclaimer: This is not an investment advice. It is of paramount importance that everyone should do his or her own due diligence before investing in any product, platform, tokens etc. Cryptocentral.io does not endorse any content or product published on this page. Our aim is to simply provide all the readers with the latest information in the field of cryptocurrency / blockchain industry that might be of interest to our readers.