The attacker has stolen more than 30,000 EOS by loading the network with rented resources

An attacker assigned at least 30,000 EOS worth over $110,000 at the current rate of exchange from gaming applications on the network, loading it with leased resources.

To carry out the attack, he leased large amounts of CPU and RAM resources on the EOS REX exchange, launched earlier this year. With their help, he was able to prioritize his transactions over those of other users and direct them to attack the EOSPlay contract.

Initially, users assumed that the organizer of the attack somehow predicted the outcome of the rounds based on the information available in the previous blocks, but later a different version appeared, related to the filling of future blocks with transactions in an overloaded network: "No one knows a random number in advance. The attacker fills the queue with different transactions and then waits for them to reach the block where the outcome of the bet will be determined. If the outcome is negative, it disables the transactions, sending them into an infinite loop and thus preventing them from losing.

One smart contract developer said that not only EOSPlay, but also some other applications that used additional accounts to interact with it, were likely to have been attacked, but the scheme remained the same.

Presumably, the organizer of the attack gave up about 300 EOS for renting resources to implement the plan. As a result, not only the users of the network, but also the EOSPlay developers themselves couldn't take action on the network to stop the malicious actions in their contract.

Commenting on what happened, EOS technical director Daniel Larimer noted that protocol vulnerabilities have nothing to do with this attack. Similarly, cybercriminals can fill in transactions with high Bitcoin and Ethereum blockchain commissions. He recommended that EOSPlay developers should reduce the CPU requirement for contract termination or rent enough resources to be able to intervene if necessary.