Full Report
EOS is a blockchain with smart contract capabilities that is fairly unique compared to Ethereum in some regards. EOS transactions have 5 different states: Executed: Transaction succeeded with no error handling. soft_fail: The transaction failed but the error handler was properly triggered. hard_fail: The transaction failed and NO error handler was triggered. delayed: The transaction has some deferred execution. expired: The transaction is expired and cannot be executed. My going through the article (not great English which makes it hard to parse), several exchanges were not parsing the status of the transaction correctly. In particular, the hard_fail could be used in order to get the TX processed on the exchange while it was still chilling in the mempool. This is very hard to make happen, which is why the exchange probably never handled this case. To me, it's crazy that they didn't solely look for executed and wait until complete finalization of the block. However, this is an older article so I'll give the company a break :) Still, interesting way to attack various chains none-the-less.
Analysis Summary
# Vulnerability: EOS False Top-up via `hard_fail` Status Manipulation
## CVE Details
- **CVE ID**: N/A (Business Logic/Integration Flaw)
- **CVSS Score**: 7.5 (High) - *Estimated based on Impact/Complexity*
- **CWE**: CWE-697 (Incorrect Comparison), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products**: Centralized cryptocurrency exchanges, digital wallets, and DApps (Decentralized Applications) interacting with the EOS blockchain.
- **Versions**: Any integration active circa March 2019 that did not strictly validate transaction status fields.
- **Configurations**: Systems that monitor the EOS mempool or blockchain for transactions but fail to verify that the execution status is explicitly set to `executed`.
## Vulnerability Description
The vulnerability stems from the way EOS handles transaction states, specifically "Deferred Transactions." While most developers expect transactions to either succeed (`executed`) or fail, EOS includes a `hard_fail` status. A `hard_fail` occurs when a deferred transaction fails objectively and fails to trigger its own error handler.
Attackers can use the `cleos` command-line tool with the `--delay-sec` parameter to create a delayed transaction. Vulnerable exchanges or DApps may detect the transaction on the chain or in the mempool and credit the user's account balance before the delay period expires. If the transaction eventually results in a `hard_fail`, the transfer of funds never actually occurs on the ledger, but the exchange has already credited the "false top-up" to the attacker's internal database.
## Exploitation
- **Status**: Exploited in the wild (Multiple instances confirmed in March 2019).
- **Complexity**: Medium (Requires knowledge of EOS transaction lifecycle and use of `cleos`).
- **Attack Vector**: Network (Remote submission of malicious transactions to the blockchain).
## Impact
- **Confidentiality**: None
- **Integrity**: High (Allows for unauthorized creation of credit/balance within centralized systems).
- **Availability**: None
## Remediation
### Patches
- This is not a vulnerability in the EOSIO core software but a flaw in how third-party services integrate with it. No "patch" exists for the chain; service providers must update their logic.
### Workarounds
- **Strict Status Validation**: Ensure that the deposit-processing logic strictly checks for `status: "executed"`. Any other status (including `hard_fail`, `soft_fail`, `delayed`, or `expired`) must be treated as a failed or pending transaction.
- **Finality Confirmation**: Wait for the block containing the transaction to be marked as "Permanent" (Irreversible) before crediting funds.
## Detection
- **Indicators of Compromise**:
- Transactions sent with a non-zero `delay-sec` value.
- Repeated transactions from the same account that result in `hard_fail` or `soft_fail` statuses.
- Discrepancies between internal exchange balances and actual on-chain hot wallet balances.
- **Detection methods**: Monitor blockchain history for the accounts listed in the report (e.g., `fortherest12`, `bobukulabobu`, `cuancuan2323`) or use EOS block explorers (like EOSPark) to filter for `hard_fail` status events.
## References
- hxxps://slowmist.medium[.]com/details-and-solutions-for-false-top-up-attack-hard-fail-status-attack-on-eos-676b899d27b6
- hxxps://github[.]com/slowmist/eos-smart-contract-security-best-practices
- hxxps://mp.weixin.qq[.]com/s/CtAKLNe0MOKDyUFaod4_hw