research-article

Understanding (Mis)Behavior on the EOSIO Blockchain

Authors:

Xuxian JiangAuthors Info & Claims

Proceedings of the ACM on Measurement and Analysis of Computing Systems, Volume 4, Issue 2

Article No.: 37, Pages 1 - 28

https://doi.org/10.1145/3392155

Published: 12 June 2020 Publication History

Abstract

EOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput Delegated Proof of Stake system that has been widely adopted by many decentralized applications. Although EOSIO has millions of accounts and billions of transactions, little is known about its ecosystem, especially related to security and fraud. In this paper, we perform a large-scale measurement study of the EOSIO blockchain and its associated DApps. We gather a large-scale dataset of EOSIO and characterize activities including money transfers, account creation and contract invocation. Using our insights, we then develop techniques to automatically detect bots and fraudulent activity. We discover thousands of bot accounts (over 30% of the accounts in the platform) and a number of real-world attacks (301 attack accounts). By the time of our study, 80 attack accounts we identified have been confirmed by DApp teams, causing 828,824 EOS tokens losses (roughly \$2.6 million) in total.

References

[1]

2018. Defeating EOS Gambling Games: The Tech Behind Random Number Loophole. https://medium.com/@peckshield/ defeating-eos-gambling-games-the-tech-behind-random-number-loophole-cf701c616dc0.

[2]

2018. EOSIO Dawn 3.0 Now Available. https://medium.com/eosio/eosio-dawn-3-0-now-available-49a3b99242d7.

[3]

2018. EOS's Gloom: Real Users Account for 30% and 8 Million Yuan Lost to Hackers in Last Six Months. https: //news.8btc.com/eoss-gloom-real-users-account-for-30-and-8-million-yuan-lost-to-hackers-in-last-six-months.

[4]

2018. "Fake EOS Attack" Upgraded, 60K EOS Tokens Lost by EOSCast. https://blog.peckshield.com/2018/11/02/eos/.

[5]

2018. "Fake Transfer Notice" Loophole Details Explained, 140K EOS Tokens Lost by EOSBet. https://blog.peckshield. com/2018/10/26/eos/.

[6]

2018. FIBOS weekly. https://developpaper.com/fibos-weekly/.

[7]

2018. Hacker created 2190 accounts to circumvent ECAF (in Chinese). https://www.myoschain.com/blog/ 134430038970859522.

[8]

2019. API Endpoints. https://www.eosdocs.io/resources/apiendpoints/.

[9]

2019. Bots drove nearly 40% of internet traffic last year. https://thenextweb.com/security/2019/04/17/ bots-drove-nearly-40-of-internet-traffic-last-year-and-the-naughty-ones-are-getting-smarter/.

[10]

2019. Bots Index. https://github.com/hashbaby-com/eos-hall-of-shame/tree/master/bots.

[11]

2019. Clustering coefficient. https://en.wikipedia.org/wiki/Clustering_coefficient.

[12]

2019. DAppReview. https://www.dapp.review/.

[13]

2019. DAppTotal. https://dapptotal.com/.

[14]

2019. EOS DApps Lose Almost $1 Million to Hackers Over the Last Five Months. https://cointelegraph.com/news/ eos-dapps-lose-almost-1-million-to-hackers-over-the-last-five-months. Proc. ACM Meas. Anal. Comput. Syst., Vol. 4, No. 2, Article 37. Publication date: June 2020. Understanding (Mis)Behavior on the EOSIO Blockchain 37:27

[15]

2019. EOS Developer Documentation. https://developers.eos.io/eosio-nodeos/docs.

[16]

2019. EOS Development Tutorials. https://github.com/peckshield/EOS/tree/master/eos-tutorials.

[17]

2019. EOS news update: 2.09 million EOS disappears in a hack attack -- EOS accounts blocked by Houbi.

[18]

2019. EOS: porn blowing up transaction volumes? https://en.cryptonomist.ch/2019/09/03/ eos-porn-transaction-volumes/.

[19]

2019. EOS "Transaction Congestion Attack": Attackers Could Paralyze EOS Network with Minimal Cost. https: //blog.peckshield.com/2019/01/15/eos_CVE-2019--6199/.

[20]

2019. EOSIO Official Portal. https://eos.io/.

[21]

2019. EOSIO Permission Grant. https://blog.csdn.net/zhuxiangzhidi/article/details/81635688.

[22]

2019. EOSIO Secure Coding. https://github.com/peckshield/EOS/blob/master/eos-tutorials/README.md.

[23]

2019. EOS/USD market drops by 4% following $7.7 million EOS hack attack. https://www.fxstreet.com/cryptocurrencies/ news/eos-usd-market-drops-by-4-following-77-million-eos-hack-attack-201902262151.

[24]

2019. Libra Core implements a decentralized, programmable database which provides a financial infrastructure that can empower billions of people. https://github.com/libra/libra.

[25]

2019. Official Bitcoin Portal. https://bitcoin.org/en/.

[26]

2019. Official Ethereum Portal. https://www.ethereum.org/.

[27]

2019. Our AI Detects Your AI - Revealing the Secret Blockchain DApp World of Bots (Part 1 - EOS). https://medium. com/@AnChain.AI/our-ai-detects-your-ai-revealing-the-secret-blockchain-dapp-world-of-bots-eed8884a07.

[28]

2019. Pearson correlation coefficient. https://en.wikipedia.org/wiki/Pearson_correlation_coefficient.

[29]

2019. PeckShield Official Portal. https://www.peckshield.com/home.html?lang=en.

[30]

2019. Roll Back Attack about blacklist in EOS. https://medium.com/@slowmist/ roll-back-attack-about-blacklist-in-eos-adf53edd8d69.

[31]

2019. Roll Back Attack about replay in EOS. https://medium.com/@slowmist/ roll-back-attack-about-replay-in-eos-acddee979396.

[32]

2019. SlowMist Official Portal. https://www.slowmist.com/en/index.html.

[33]

2019. Study: 75% of EOS Dapp Transactions Are Now Made By Bots. https://www.coindesk.com/ study-75-of-dapp-transactions-are-now-made-by-bots.

[34]

2019. The Security Issues of EOSIO.Code Permission for EOS Wolf. https://bihu.com/article/992656.

[35]

2019. TRON Plagued By Infestation Of dApp Bots. https://cryptobriefing.com/ tron-plagued-by-infestation-of-dapp-bots-anchain-report/.

[36]

2020. Accounts and Permissions. https://developers.eos.io/welcome/latest/protocol/accounts_and_permissions.

[37]

2020. Glossary of EOSIO. https://developers.eos.io/welcome/latest/glossary/index.

[38]

2020. History of Histories. https://eos.discussions.app/tag/voice/3i4rwgpi8cqal/dan_larimer_history_of_histories.

[39]

Massimo Bartoletti, Salvatore Carta, Tiziana Cimoli, and Roberto Saia. 2020. Dissecting Ponzi schemes on Ethereum: identification, analysis, and impact. Future Generation Computer Systems 102 (2020), 259--277.

Digital Library

[40]

Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. 2014. Deanonymisation of clients in Bitcoin P2P network. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 15--29.

Digital Library

[41]

Qiang Cao, Michael Sirivianos, Xiaowei Yang, and Tiago Pregueiro. 2012. Aiding the Detection of Fake Accounts in Large Scale Social Online Services. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (NSDI'12). USENIX Association, USA, 15.

Digital Library

[42]

Qiang Cao, Xiaowei Yang, Jieqi Yu, and Christopher Palow. 2014. Uncovering Large Groups of Active Malicious Accounts in Online Social Networks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 477--488.

Digital Library

[43]

Wren Chan and Aspen Olmsted. 2017. Ethereum transaction graph analysis. In 12th International Conference for Internet Technology and Secured Transactions (ICITST). 498--500.

[44]

N. Chavoshi, H. Hamooni, and A. Mueen. 2016. DeBot: Twitter Bot Detection via Warped Correlation. In 2016 IEEE 16th International Conference on Data Mining (ICDM). 817--822.

[45]

Ting Chen, Yuxiao Zhu, Zihao Li, Jiachi Chen, Xiaoqi Li, Xiapu Luo, Xiaodong Lin, and Xiaosong Zhang. 2018. Understanding Ethereum via Graph Analysis. In IEEE International Conference on Computer Communications (INFOCOM). 1484--1492.

[46]

Weili Chen, Zibin Zheng, Jiahui Cui, Edith Ngai, Peilin Zheng, and Yuren Zhou. 2018. Detecting ponzi schemes on ethereum: Towards healthier blockchain technology. In Proceedings of the 2018 World Wide Web Conference (WWW '18). 1409--1418.

Digital Library

[47]

Giorgio Fagiolo. 2007. Clustering in complex directed networks. Physical Review E 76, 2 (2007), 026107.

[48]

Michael Fleder, Michael S. Kester, and Sudeep Pillai. 2015. Bitcoin Transaction Graph Analysis. arXivpreprintarXiv: 1502.01657 Proc. ACM Meas. Anal. Comput. Syst., Vol. 4, No. 2, Article 37. Publication date: June 2020. 37:28 Huang and Wang, et al.

[49]

Zafar Gilani, Jon Crowcroft, Reza Farahbakhsh, and Gareth Tyson. 2017. The implications of twitterbot generated data traffic on networked systems. In Proceedings of the SIGCOMM Posters and Demos. 51--53.

Digital Library

[50]

Zafar Gilani, Reza Farahbakhsh, Gareth Tyson, and Jon Crowcroft. 2019. A large-scale behavioural analysis of bots and humans on twitter. ACM Transactions on the Web (TWEB) 13, 1 (2019), 1--23.

Digital Library

[51]

Ningyu He, Lei Wu, Haoyu Wang, Yao Guo, and Xuxian Jiang. 2020. Characterizing code clones in the Ethereum smart contract ecosystem. In Twenty-Fourth International Conference on Financial Cryptography and Data Security (FC '20).

[52]

Ningyu He, Ruiyi Zhang, Lei Wu, Haoyu Wang, Xiapu Luo, Yao Guo, Ting Yu, and Xuxian Jiang. 2020. Security Analysis of EOSIO Smart Contracts. arXiv preprint arXiv:2003.06568 (2020).

[53]

Bo Jiang, Ye Liu, and WK Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE). ACM, 259--269.

Digital Library

[54]

Alan Kvanli, Robert Pavur, and Kellie Keeling. 2005. Concise managerial statistics. Cengage Learning. 81--82 pages.

[55]

Dongsoo Lee and Dong Hoon Lee. 2019. Push and Pull: Manipulating a Production Schedule and Maximizing Rewards on the EOSIO Blockchain. In Proceedings of the Third ACM Workshop on Blockchains, Cryptocurrencies and Contracts (BCC '19). 11--21.

Digital Library

[56]

Sangsup Lee, Daejun Kim, Dongkwan Kim, Sooel Son, and Yongdae Kim. 2019. Who Spent My {EOS}? On the (In) Security of Resource Management of EOS. IO. In 13th {USENIX} Workshop on Offensive Technologies ({WOOT} 19).

[57]

Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. ReGuard: finding reentrancy bugs in smart contracts. In Proceedings of the 40th International Conference on Software Engineering (ICSE-C). 65--68.

Digital Library

[58]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making Smart Contracts Smarter. In ACM SIGSAC Conference on Computer and Communications Security (CCS '16). 254--269.

[59]

Damiano Di Francesco Maesa, Andrea Marino, and Laura Ricci. 2016. An analysis of the Bitcoin users graph: inferring unusual behaviours. In International Workshop on Complex Networks and their Applications. 749--760.

[60]

Mark EJ Newman. 2003. Mixing patterns in networks. Physical Review E 67, 2 (2003), 026126.

[61]

Rogier Noldus and Piet Van Mieghem. 2015. Assortativity in complex networks. Journal of Complex Networks 3, 4 (2015), 507--542.

[62]

Silivanxay Phetsouvanh, Frédérique Oggier, and Anwitaman Datta. 2018. EGRET: Extortion Graph Exploration Techniques in the Bitcoin Network. In 2018 IEEE International Conference on Data Mining Workshops (ICDMW). 244--251.

[63]

Lijin Quan, Lei Wu, and Haoyu Wang. 2019. EVulHunter: Detecting Fake Transfer Vulnerabilities for EOSIO's Smart Contracts at Webassembly-level. arXivpreprintarXiv:1906.10362

[64]

Fergal Reid and Martin Harrigan. 2011. An Analysis of Anonymity in the Bitcoin System. In 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. IEEE, 1318--1326.

[65]

Dorit Ron and Adi Shamir. 2013. Quantitative Analysis of the Full Bitcoin Transaction Graph. In International Conference on Financial Cryptography and Data Security (FC). 6--24.

[66]

Sukrit SKalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In Network and Distributed Systems Security Symposium (NDSS). 1--12.

[67]

Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB '18). IEEE, 9--16.

Digital Library

[68]

Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts. In The 34th Annual Computer Security Applications Conference (ACSAC '18). 664--676.

[69]

Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[70]

Onur Varol, Emilio Ferrara, Clayton A Davis, Filippo Menczer, and Alessandro Flammini. 2017. Online human-bot interactions: Detection, estimation, and characterization. In Eleventh international AAAI conference on web and social media.

[71]

Gang Wang, Tristan Konolige, Christo Wilson, Xiao Wang, Haitao Zheng, and Ben Y. Zhao. 2013. You Are How You Click: Clickstream Analysis for Sybil Detection. In 22nd USENIX Security Symposium (USENIX Security 13). 241--256.

[72]

Pengcheng Xia, Bowen Zhang, Ru Ji, Bingyu Gao, LeiWu, Xiapu Luo, HaoyuWang, and Guoai Xu. 2020. Characterizing Cryptocurrency Exchange Scams. arXiv preprint arXiv:2003.07314 (2020).

[73]

Chen Zhao and Yong Guan. 2015. A Graph-based investigation of Bitcoin transactions. In 11th IFIP International Conference on Digital Forensics (DF). 79--95.

Cited By

Mišić JMišić VChang X(2024)Toward Decentralization in DPoS Systems: Election, Voting, and Leader Selection Using Virtual StakeIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332262221:2(1777-1790)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3322622
Zheng HMa MMa HChen JXiong HYang Z(2024)TEGDetector: A Phishing Detector That Knows Evolving Transaction BehaviorsIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332351211:3(3988-4000)Online publication date: Jun-2024
https://doi.org/10.1109/TCSS.2023.3323512
Steffi PSam Emmanuel WRani P(2024)A Cost-Sensitive Sparse Auto-encoder Based Feature Extraction for Network Traffic Classification Using CNNProceedings of 4th International Conference on Artificial Intelligence and Smart Energy10.1007/978-3-031-61471-2_17(231-244)Online publication date: 12-Jun-2024
https://doi.org/10.1007/978-3-031-61471-2_17
Show More Cited By

Index Terms

Understanding (Mis)Behavior on the EOSIO Blockchain
1. Information systems
  1. World Wide Web
    1. Web mining
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Software and application security
    1. Web application security

Recommendations

Understanding (Mis)Behavior on the EOSIO Blockchain

EOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput ...
Understanding (Mis)Behavior on the EOSIO Blockchain
SIGMETRICS '20: Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer Systems

EOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput ...
Crypto Wallet Working on Low-cost 4G LTE Mobile Phone (video)
MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services

In this paper, we describe a simple and light way of using 4G LTE low-cost phone as blockchain cryptocurrencies wallet on-the-go. The main purpose of this project is to make general mobile phone user could easily use Crypto Wallet " a crypto currency ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Measurement and Analysis of Computing Systems

Proceedings of the ACM on Measurement and Analysis of Computing Systems Volume 4, Issue 2

SIGMETRICS

June 2020

623 pages

EISSN:2476-1249

DOI:10.1145/3405833

Editors:
Augustin Chaintreau
Columbia University
,
Leana Golubchik
University of Southern California
,
Zhi-Li Zhang
University of Minnesota

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 June 2020

Published in POMACS Volume 4, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
561
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)8

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Mišić JMišić VChang X(2024)Toward Decentralization in DPoS Systems: Election, Voting, and Leader Selection Using Virtual StakeIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332262221:2(1777-1790)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3322622
Zheng HMa MMa HChen JXiong HYang Z(2024)TEGDetector: A Phishing Detector That Knows Evolving Transaction BehaviorsIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332351211:3(3988-4000)Online publication date: Jun-2024
https://doi.org/10.1109/TCSS.2023.3323512
Steffi PSam Emmanuel WRani P(2024)A Cost-Sensitive Sparse Auto-encoder Based Feature Extraction for Network Traffic Classification Using CNNProceedings of 4th International Conference on Artificial Intelligence and Smart Energy10.1007/978-3-031-61471-2_17(231-244)Online publication date: 12-Jun-2024
https://doi.org/10.1007/978-3-031-61471-2_17
Fernández-Carrasco JEcheberria-Barrio XParedes-García DZola FOrduna-Urrutia R(2023)ChronoEOS 2.0: Device Fingerprinting and EOSIO Blockchain Technology for On-Running Forensic Analysis in an IoT EnvironmentSmart Cities10.3390/smartcities60200436:2(897-912)Online publication date: 10-Mar-2023
https://doi.org/10.3390/smartcities6020043
Xu YZhang LVural TQian PWang YFan YLi MTang XCao Z(2023)STFN: Spatio-Temporal Fusion Network to Detect Ethereum Phishing ScamsProceedings of the 2023 7th International Conference on Electronic Information Technology and Computer Engineering10.1145/3650400.3650499(599-605)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3650400.3650499
Li CXu RDuan L(2023)Liquid Democracy in DPoS BlockchainsProceedings of the 5th ACM International Symposium on Blockchain and Secure Critical Infrastructure10.1145/3594556.3594606(25-33)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3594556.3594606
Liu JZheng WLu DWu JZheng Z(2023)From Decentralization to Oligopoly: A Data-Driven Analysis of Decentralization Evolution and Voting Behaviors on EOSIOIEEE Transactions on Computational Social Systems10.1109/TCSS.2022.319135010:5(2752-2763)Online publication date: Oct-2023
https://doi.org/10.1109/TCSS.2022.3191350
Tahora SSaha BSakib NShahriar HHaddad H(2023)Blockchain Technology in Higher Education Ecosystem: Unraveling the Good, Bad, and Ugly2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00160(1047-1056)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00160
Sun RLi CLiu JSun X(2023)Exploring Downvoting in Blockchain-based Online Social Media Platforms2023 IEEE 9th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS)10.1109/BigDataSecurity-HPSC-IDS58521.2023.00022(66-71)Online publication date: May-2023
https://doi.org/10.1109/BigDataSecurity-HPSC-IDS58521.2023.00022
Zheng XXia PWang KWang H(2023)ScamRadar: Identifying Blockchain Scams When They are PromotingBlockchain and Trustworthy Systems10.1007/978-981-99-8101-4_2(19-36)Online publication date: 25-Nov-2023
https://doi.org/10.1007/978-981-99-8101-4_2
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents