After discovering a new security vulnerability, hackers managed to flood a crypto exchange with fake EOS tokens. By the end of their operation, they ended up stealing as much as $58,000 from the exchange’s users directly.
New Hacking Attack Hits a “Decentralized” Exchange
The hacking attacks of the crypto world show no signs of stopping or even slowing down at this point. The proof of this is a new attack that has hit a “decentralized” crypto exchange called Newdex. The attack was not a classic one, and the hackers actually flooded the exchange with as much as 1 billion fake EOS tokens which they themselves created according to reports.
The tokens were created on EOS platform, and also named EOS. Through their use, the attackers illegitimately bought IQ, BLACK, and ADD tokens from the exchange. The exchange confirmed this, naming the account that performed the scam as “oo1122334455”. Additionally, the exchange admitted that as many as 11,800 fake orders were issued through the use of fake EOS coins.
Eventually, the scammers traded fake EOS for real EOS, gaining around 4,028 EOS coins, or approximately $20,000 on Bitfinex. The worst losses were experienced by the Newdex users, which cost around $58,000 in total. While the exchange’s team has apologized for the incident, they released no plans regarding compensation for their users.
How Did They Pull It Off?
After an initial investigation, it would seem that the vulnerability consists of two aspects. The first one is the fact that anyone can make their own token on EOS, and name it whatever they want — including “EOS”. The second one includes the fact that Newdex doesn’t require smart contracts. That way, it is not possible to actually confirm that the tokens pumped into its system are actually what they seem to be.
This is due to the fact that developers are using the popularity of DEX (decentralized exchanges), and are dressing to pose as one. What’s more, the community proved that Newdex is not a real DEX several days before the incident, stating that Scatter is presented as a trading and login interface, so that it would look like a DEX. The reality is that users are sending funds to regular EOS accounts that don’t have any kind of smart contract running on it.
This is called the “newdexpocket”, which is an EOS account that doesn’t use smart contract code and is actually just a Newdex dApp wallet. Basically, this means that the users are sending funds to a regular personal EOS account, with no confirmation that they are making an official and real transaction.
In the end, while this definitely is not the greatest hacking attack in crypto history, it may be the biggest fiasco. What’s worse, this might seriously damage a lot of people’s opinion of DEX and decentralized internet.
Image from Shutterstock