Yuheng Huang
Xuanzhe Liu
Skip Abstract Section
Abstract
EOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput Delegated Proof of Stake system that has been widely adopted by many decentralized applications. Although EOSIO has millions of accounts and billions of transactions, little is known about its ecosystem, especially related to security and fraud. In this paper, we perform a large-scale measurement study of the EOSIO blockchain and its associated DApps. We gather a large-scale dataset of EOSIO and characterize activities including money transfers, account creation and contract invocation. Using our insights, we then develop techniques to automatically detect bots and fraudulent activity. We discover thousands of bot accounts (over 30% of the accounts in the platform) and a number of real-world attacks (301 attack accounts). By the time of our study, 80 attack accounts we identified have been confirmed by DApp teams, causing 828,824 EOS tokens losses (roughly \$2.6 million) in total.
- 2018. Defeating EOS Gambling Games: The Tech Behind Random Number Loophole. https://medium.com/@peckshield/ defeating-eos-gambling-games-the-tech-behind-random-number-loophole-cf701c616dc0.Google Scholar
- 2018. EOSIO Dawn 3.0 Now Available. https://medium.com/eosio/eosio-dawn-3-0-now-available-49a3b99242d7.Google Scholar
- 2018. EOS's Gloom: Real Users Account for 30% and 8 Million Yuan Lost to Hackers in Last Six Months. https: //news.8btc.com/eoss-gloom-real-users-account-for-30-and-8-million-yuan-lost-to-hackers-in-last-six-months.Google Scholar
- 2018. "Fake EOS Attack" Upgraded, 60K EOS Tokens Lost by EOSCast. https://blog.peckshield.com/2018/11/02/eos/.Google Scholar
- 2018. "Fake Transfer Notice" Loophole Details Explained, 140K EOS Tokens Lost by EOSBet. https://blog.peckshield. com/2018/10/26/eos/.Google Scholar
- 2018. FIBOS weekly. https://developpaper.com/fibos-weekly/.Google Scholar
- 2018. Hacker created 2190 accounts to circumvent ECAF (in Chinese). https://www.myoschain.com/blog/ 134430038970859522.Google Scholar
- 2019. API Endpoints. https://www.eosdocs.io/resources/apiendpoints/.Google Scholar
- 2019. Bots drove nearly 40% of internet traffic last year. https://thenextweb.com/security/2019/04/17/ bots-drove-nearly-40-of-internet-traffic-last-year-and-the-naughty-ones-are-getting-smarter/.Google Scholar
- 2019. Bots Index. https://github.com/hashbaby-com/eos-hall-of-shame/tree/master/bots.Google Scholar
- 2019. Clustering coefficient. https://en.wikipedia.org/wiki/Clustering_coefficient.Google Scholar
- 2019. DAppReview. https://www.dapp.review/.Google Scholar
- 2019. DAppTotal. https://dapptotal.com/.Google Scholar
- 2019. EOS DApps Lose Almost $1 Million to Hackers Over the Last Five Months. https://cointelegraph.com/news/ eos-dapps-lose-almost-1-million-to-hackers-over-the-last-five-months. Proc. ACM Meas. Anal. Comput. Syst., Vol. 4, No. 2, Article 37. Publication date: June 2020. Understanding (Mis)Behavior on the EOSIO Blockchain 37:27Google Scholar
- 2019. EOS Developer Documentation. https://developers.eos.io/eosio-nodeos/docs.Google Scholar
- 2019. EOS Development Tutorials. https://github.com/peckshield/EOS/tree/master/eos-tutorials.Google Scholar
- 2019. EOS news update: 2.09 million EOS disappears in a hack attack -- EOS accounts blocked by Houbi.Google Scholar
- 2019. EOS: porn blowing up transaction volumes? https://en.cryptonomist.ch/2019/09/03/ eos-porn-transaction-volumes/.Google Scholar
- 2019. EOS "Transaction Congestion Attack": Attackers Could Paralyze EOS Network with Minimal Cost. https: //blog.peckshield.com/2019/01/15/eos_CVE-2019--6199/.Google Scholar
- 2019. EOSIO Official Portal. https://eos.io/.Google Scholar
- 2019. EOSIO Permission Grant. https://blog.csdn.net/zhuxiangzhidi/article/details/81635688.Google Scholar
- 2019. EOSIO Secure Coding. https://github.com/peckshield/EOS/blob/master/eos-tutorials/README.md.Google Scholar
- 2019. EOS/USD market drops by 4% following $7.7 million EOS hack attack. https://www.fxstreet.com/cryptocurrencies/ news/eos-usd-market-drops-by-4-following-77-million-eos-hack-attack-201902262151.Google Scholar
- 2019. Libra Core implements a decentralized, programmable database which provides a financial infrastructure that can empower billions of people. https://github.com/libra/libra.Google Scholar
- 2019. Official Bitcoin Portal. https://bitcoin.org/en/.Google Scholar
- 2019. Official Ethereum Portal. https://www.ethereum.org/.Google Scholar
- 2019. Our AI Detects Your AI - Revealing the Secret Blockchain DApp World of Bots (Part 1 - EOS). https://medium. com/@AnChain.AI/our-ai-detects-your-ai-revealing-the-secret-blockchain-dapp-world-of-bots-eed8884a07.Google Scholar
- 2019. Pearson correlation coefficient. https://en.wikipedia.org/wiki/Pearson_correlation_coefficient.Google Scholar
- 2019. PeckShield Official Portal. https://www.peckshield.com/home.html?lang=en.Google Scholar
- 2019. Roll Back Attack about blacklist in EOS. https://medium.com/@slowmist/ roll-back-attack-about-blacklist-in-eos-adf53edd8d69.Google Scholar
- 2019. Roll Back Attack about replay in EOS. https://medium.com/@slowmist/ roll-back-attack-about-replay-in-eos-acddee979396.Google Scholar
- 2019. SlowMist Official Portal. https://www.slowmist.com/en/index.html.Google Scholar
- 2019. Study: 75% of EOS Dapp Transactions Are Now Made By Bots. https://www.coindesk.com/ study-75-of-dapp-transactions-are-now-made-by-bots.Google Scholar
- 2019. The Security Issues of EOSIO.Code Permission for EOS Wolf. https://bihu.com/article/992656.Google Scholar
- 2019. TRON Plagued By Infestation Of dApp Bots. https://cryptobriefing.com/ tron-plagued-by-infestation-of-dapp-bots-anchain-report/.Google Scholar
- 2020. Accounts and Permissions. https://developers.eos.io/welcome/latest/protocol/accounts_and_permissions.Google Scholar
- 2020. Glossary of EOSIO. https://developers.eos.io/welcome/latest/glossary/index.Google Scholar
- 2020. History of Histories. https://eos.discussions.app/tag/voice/3i4rwgpi8cqal/dan_larimer_history_of_histories.Google Scholar
- Massimo Bartoletti, Salvatore Carta, Tiziana Cimoli, and Roberto Saia. 2020. Dissecting Ponzi schemes on Ethereum: identification, analysis, and impact. Future Generation Computer Systems 102 (2020), 259--277.Google ScholarDigital Library
- Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. 2014. Deanonymisation of clients in Bitcoin P2P network. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 15--29.Google ScholarDigital Library
- Qiang Cao, Michael Sirivianos, Xiaowei Yang, and Tiago Pregueiro. 2012. Aiding the Detection of Fake Accounts in Large Scale Social Online Services. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (NSDI'12). USENIX Association, USA, 15.Google ScholarDigital Library
- Qiang Cao, Xiaowei Yang, Jieqi Yu, and Christopher Palow. 2014. Uncovering Large Groups of Active Malicious Accounts in Online Social Networks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 477--488.Google ScholarDigital Library
- Wren Chan and Aspen Olmsted. 2017. Ethereum transaction graph analysis. In 12th International Conference for Internet Technology and Secured Transactions (ICITST). 498--500.Google ScholarCross Ref
- N. Chavoshi, H. Hamooni, and A. Mueen. 2016. DeBot: Twitter Bot Detection via Warped Correlation. In 2016 IEEE 16th International Conference on Data Mining (ICDM). 817--822.Google Scholar
- Ting Chen, Yuxiao Zhu, Zihao Li, Jiachi Chen, Xiaoqi Li, Xiapu Luo, Xiaodong Lin, and Xiaosong Zhang. 2018. Understanding Ethereum via Graph Analysis. In IEEE International Conference on Computer Communications (INFOCOM). 1484--1492.Google ScholarCross Ref
- Weili Chen, Zibin Zheng, Jiahui Cui, Edith Ngai, Peilin Zheng, and Yuren Zhou. 2018. Detecting ponzi schemes on ethereum: Towards healthier blockchain technology. In Proceedings of the 2018 World Wide Web Conference (WWW '18). 1409--1418.Google ScholarDigital Library
- Giorgio Fagiolo. 2007. Clustering in complex directed networks. Physical Review E 76, 2 (2007), 026107.Google ScholarCross Ref
- Michael Fleder, Michael S. Kester, and Sudeep Pillai. 2015. Bitcoin Transaction Graph Analysis. arXivpreprintarXiv: 1502.01657 Proc. ACM Meas. Anal. Comput. Syst., Vol. 4, No. 2, Article 37. Publication date: June 2020. 37:28 Huang and Wang, et al.Google Scholar
- Zafar Gilani, Jon Crowcroft, Reza Farahbakhsh, and Gareth Tyson. 2017. The implications of twitterbot generated data traffic on networked systems. In Proceedings of the SIGCOMM Posters and Demos. 51--53.Google ScholarDigital Library
- Zafar Gilani, Reza Farahbakhsh, Gareth Tyson, and Jon Crowcroft. 2019. A large-scale behavioural analysis of bots and humans on twitter. ACM Transactions on the Web (TWEB) 13, 1 (2019), 1--23.Google ScholarDigital Library
- Ningyu He, Lei Wu, Haoyu Wang, Yao Guo, and Xuxian Jiang. 2020. Characterizing code clones in the Ethereum smart contract ecosystem. In Twenty-Fourth International Conference on Financial Cryptography and Data Security (FC '20).Google ScholarCross Ref
- Ningyu He, Ruiyi Zhang, Lei Wu, Haoyu Wang, Xiapu Luo, Yao Guo, Ting Yu, and Xuxian Jiang. 2020. Security Analysis of EOSIO Smart Contracts. arXiv preprint arXiv:2003.06568 (2020).Google Scholar
- Bo Jiang, Ye Liu, and WK Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE). ACM, 259--269.Google ScholarDigital Library
- Alan Kvanli, Robert Pavur, and Kellie Keeling. 2005. Concise managerial statistics. Cengage Learning. 81--82 pages.Google Scholar
- Dongsoo Lee and Dong Hoon Lee. 2019. Push and Pull: Manipulating a Production Schedule and Maximizing Rewards on the EOSIO Blockchain. In Proceedings of the Third ACM Workshop on Blockchains, Cryptocurrencies and Contracts (BCC '19). 11--21.Google ScholarDigital Library
- Sangsup Lee, Daejun Kim, Dongkwan Kim, Sooel Son, and Yongdae Kim. 2019. Who Spent My {EOS}? On the (In) Security of Resource Management of EOS. IO. In 13th {USENIX} Workshop on Offensive Technologies ({WOOT} 19).Google Scholar
- Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. ReGuard: finding reentrancy bugs in smart contracts. In Proceedings of the 40th International Conference on Software Engineering (ICSE-C). 65--68.Google ScholarDigital Library
- Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making Smart Contracts Smarter. In ACM SIGSAC Conference on Computer and Communications Security (CCS '16). 254--269.Google Scholar
- Damiano Di Francesco Maesa, Andrea Marino, and Laura Ricci. 2016. An analysis of the Bitcoin users graph: inferring unusual behaviours. In International Workshop on Complex Networks and their Applications. 749--760.Google Scholar
- Mark EJ Newman. 2003. Mixing patterns in networks. Physical Review E 67, 2 (2003), 026126.Google ScholarCross Ref
- Rogier Noldus and Piet Van Mieghem. 2015. Assortativity in complex networks. Journal of Complex Networks 3, 4 (2015), 507--542.Google ScholarCross Ref
- Silivanxay Phetsouvanh, Frédérique Oggier, and Anwitaman Datta. 2018. EGRET: Extortion Graph Exploration Techniques in the Bitcoin Network. In 2018 IEEE International Conference on Data Mining Workshops (ICDMW). 244--251.Google Scholar
- Lijin Quan, Lei Wu, and Haoyu Wang. 2019. EVulHunter: Detecting Fake Transfer Vulnerabilities for EOSIO's Smart Contracts at Webassembly-level. arXivpreprintarXiv:1906.10362Google Scholar
- Fergal Reid and Martin Harrigan. 2011. An Analysis of Anonymity in the Bitcoin System. In 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. IEEE, 1318--1326.Google Scholar
- Dorit Ron and Adi Shamir. 2013. Quantitative Analysis of the Full Bitcoin Transaction Graph. In International Conference on Financial Cryptography and Data Security (FC). 6--24.Google Scholar
- Sukrit SKalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In Network and Distributed Systems Security Symposium (NDSS). 1--12.Google Scholar
- Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB '18). IEEE, 9--16.Google ScholarDigital Library
- Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts. In The 34th Annual Computer Security Applications Conference (ACSAC '18). 664--676.Google Scholar
- Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Onur Varol, Emilio Ferrara, Clayton A Davis, Filippo Menczer, and Alessandro Flammini. 2017. Online human-bot interactions: Detection, estimation, and characterization. In Eleventh international AAAI conference on web and social media.Google ScholarCross Ref
- Gang Wang, Tristan Konolige, Christo Wilson, Xiao Wang, Haitao Zheng, and Ben Y. Zhao. 2013. You Are How You Click: Clickstream Analysis for Sybil Detection. In 22nd USENIX Security Symposium (USENIX Security 13). 241--256.Google Scholar
- Pengcheng Xia, Bowen Zhang, Ru Ji, Bingyu Gao, LeiWu, Xiapu Luo, HaoyuWang, and Guoai Xu. 2020. Characterizing Cryptocurrency Exchange Scams. arXiv preprint arXiv:2003.07314 (2020).Google Scholar
- Chen Zhao and Yong Guan. 2015. A Graph-based investigation of Bitcoin transactions. In 11th IFIP International Conference on Digital Forensics (DF). 79--95.Google ScholarCross Ref
Index Terms
- Understanding (Mis)Behavior on the EOSIO Blockchain
Recommendations
Understanding (Mis)Behavior on the EOSIO Blockchain
EOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput ...
Understanding (Mis)Behavior on the EOSIO Blockchain
SIGMETRICS '20: Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer SystemsEOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput ...
Crypto Wallet Working on Low-cost 4G LTE Mobile Phone (video)
MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and ServicesIn this paper, we describe a simple and light way of using 4G LTE low-cost phone as blockchain cryptocurrencies wallet on-the-go. The main purpose of this project is to make general mobile phone user could easily use Crypto Wallet " a crypto currency ...
Comments