It has been just over four months since the EOSIO blockchain officially launched, and while it is still young compared to Ethereum or Bitcoin, it has struggled to overcome its controversial roll out. The platform, though named the number one blockchain by the Chinese government, is still fighting RAM costs, bugs, exploits and, of course, centralization fears.
One of the biggest headaches for dApp developers has been the out of control cost of RAM.
Immediately after EOSIO’s mainnet launch, speculators jumped on RAM looking to turn a profit. Just two weeks after the platform’s launch, RAM utilization rose to 50 percent of the total supply, causing prices to soar as high as 0.94 EOS per KB. And though block producers jumped on top of the issue quickly, doubling the total supply of the limited resource, problems persisted.
In July, Dan Larimer released a “Three Step Plan” for lowering onboarding costs. The post noted that the platform would increase RAM supply, lower account memory usage and provide free accounts usable by any dApp that is compatible with Block.one’s wallet API. And on September 6th, block producers jumped on board, adding a 1400 bytes to all new accounts and reducing the recommended minimum amount of RAM one should purchase by 25 percent.
Block producer New York EOS explained, “EOS account creation cost is an extremely important aspect of the health of the platform. Many users of EOS decentralized applications (dApps) are early adopters, people who are eager and willing to spend the time to understand the EOS blockchain. But in the future, users will not be as eager. The users of the future will want to use the new dApp they found as quickly as possible. In fact, they may not know they’re about to interact with a blockchain at all.
For that to happen, dApp developers will need to pay for the network resources required to onboard users (or pass this cost on to users). Reducing this cost by 25% dramatically reduces the barriers to development when considering account creation at scale.”
With the new tweaks, RAM costs have fallen significantly from the previous highs. But costs aren’t the only problem with the resource.
Bad actors stealing RAM
In late August, a new bug was revealed that allowed bad actors to steal RAM from unsuspecting users.
EOSEssentials described the exploit, “A malicious user can install code on their account which will allow them to insert [table] rows in the name of another account sending them tokens. This lets them steal RAM by inserting large amounts of garbage into [table] rows when dApps/users send them tokens.”
Though, according to César Rodriguez, one of the developers working on the fix, the RAM cannot be used or sold, it cannot be retrieved, either.
Dan Larimer compared the exploit to vandalism but mentioned that it should not impact the platform in the long-term, ““[It] should do no long term damage to the parties involved once the EOS governance process can review and remedy the situation.”
Larimer was also quick to respond with a temporary solution, suggesting that users should remain diligent in reviewing their contracts they interact with. Additionally, Larimer suggested a temporary workaround, asking users to create proxy accounts with no RAM.
From overly generous e-gambling payouts to botched airdrops, EOS dApps are having a tough month, as well.
On September 9th, an online gambling dApp, DEOSGames fell victim to an exploit allowing a user to cash out over $23,000 in winnings after hitting the jackpot 24 times in a row. The developers of the dApp were quick to confirm the exploit, stating “Yesterday, we got a malicious contract exploit our contract. It is a good stress test and we got significant improvements on contract level,” adding, “Remember we are still in beta.”
While that may be chump change in the world of crypto-heists, another betting platform reported a significantly larger disruption.
Not even a week later, EOSBETCASINO identified a flaw in their contract wherein a user was able to walk off with over $200,000 worth of tokens. The exploit allowed the user to not pay on losing bets but still cash out when they won.
EOSBETCASINO was quick to fix the exploit and release a statement on Reddit, “On September 14th around 3:00 AM UTC, we experienced a hack and breach of our bankroll, resulting in a theft of 44,427.4302 EOS before our contracts were taken offline by the development team. The remaining 463,745 EOS in our EOSBETDICE11 and EOSBETCASINO contracts are safe, the vulnerability is patched, and we are back online. We want to be as transparent as possible in explaining this breach and addressing any concerns the community might have.”
In addition to the betting app missteps, another dApp highlighted perhaps a more worrying problem with the EOS platform.
Trybe, a blockchain-powered content creation platform, mistakenly gave airdrop recipients up to four times the amount they were supposed to receive. Following the botched giveaway, however, the developers unapologetically and without warning accessed users’ wallets to remove the excess tokens.
This brought into question EOS’ core smart contract protocol which allows all contracts to be edited after they are deployed.
Tom Nordwood, Trybe’s founder, released a statement on Reddit, “We are comfortable in our decision to reverse transactions in this instance rather than leaving huge amounts of tokens in a few people’s wallets… What we did, by the way, is not just a function of the TRYBE token but of any token built on EOS, and to be honest, I was VERY GLAD that it was...”
This is not a new occurrence, either. Since the EOSIO launch, accounts have been frozen and accessed illegitimately on several occasions.
Decentralized Exchange Highlights Another Vulnerability
Newdex, a relatively new exchange trying to ride the ‘DEX’ or decentralized exchange hype, was flooded with over 1 billion fake EOS tokens, ultimately leading to the theft of over $50,000 in real crypto.
The attack was primarily the fault of the exchange, which, for whatever reason, does not use smart contracts. This critical detail means that the exchange was unable to verify the legitimacy of the ‘EOS’ tokens used in the attack.
Reddit users even pointed out this vulnerability days before the attack, “Unlike a real DEX, they do not have a smart contract that holds funds / handles order matching on-chain. Instead, they match all orders off-chain in a centralized server. I received this response from their support confirming this is the case: https://i.imgur.com/bo2TJ1m.png “
But it does also raise another important issue regarding the EOSIO platform itself.
Any user is able to create a token and name it anything they want. Though the community should reliance on their own due diligence and the due diligence of service providers, this design could potentially lead to more attacks of a similar nature.
What’s Next for EOSIO?
While the platform has had a tough time working out all of the bugs, it is important to remember that it is only a few months old. There are going to be hiccups in any launch of this scale. But it is clear that block producers have their hands full. How EOSIO’s governance reacts to these problems will be key moving forward.
From Bancor’s pivot to the platform to Dan Larimer’s ambitious UBI propositions, the platform itself is ripe with potential, and it is obvious that its creators are some of the best in the business.
EOSIO has a long way to go before it can be compared to Bitcoin or Ethereum, both of which have had their own growing pains, but in the meantime, there are some handsome rewards for anyone who wants to lend a hand in identifying and helping to fix bugs on the platform.
By Michael Kern via Crypto Insider