Follow up: Steal my EOS - An experiment on the EOSIO Mainnet

in #eos6 years ago

Four days ago, I bravely(idiotically) publicly posted an active EOS private key on the internet and challenged the public to steal my EOS.

()

Spoiler alert: The results are in! I still have all my EOS!

You don't need to take my word for it... The magic of public blockchain allows you to verify for yourself by using any block explorer -- a tool designed to review historic blocks, accounts, transactions, and actions recorded on a blockchian.

yostealmyeos -- the account created for this experiment, still has all 5 EOS I started this experiment with!

What happened?

I started the experiment with 5 EOS. 2.5 were staked for bandwith, and 2.5 staked for CPU power.

Only a few minutes after posting my EOS private key publicly, I noticed unusual activity in my EOS account.

Here is a quick rundown of what ensued:

9:04 A.M. CST The majority of my tokens were undelegated(unstaked) unbeknownst to me. Luckily the process takes 3 days to complete -- and coins must be unstaked to transfer . whew!

9:07 A.M. - 9:15 A.M. Hackers accessed the account and used it to delegate CPU and Bandwidth to 3rd parties.

9:30 A.M. I've lost control of my EOS active key -- my active key was overwritten and now the holder of the private key of EOS7Yee2ZgSQLcbSc5wNjdoA9rdz1cffdwqCsLZvcV1Gys9et3X5G has taken control of my EOS active key. Now the private key in my EOS key I posted is no good for anything, and this new active key holder and myself (owner key) are the only ones with control of the account. Luckily, I still had an EOS OWNER key in my possession, linked to a different EOS public/private keypair ;-)

9:34 - 9:42 A.M. All tokens are unstaked again. Then user alepacheco11 delegates yostealmyeos some network resources, and uses it to Buy and Sell Ram -- earning the account some extra EOS (more than I started with!)

10:59 A.M. User mariusactive shakes things up by sending yostealmyeos 1EOS (unstaked!)

11:30 A.M. User alepacheco11, in control of the active key, uses it to "cash out" the unstaked EOS.

11:33-11:40 A.M. A battle over the active key ensues. I keep resetting the active key back to EOS5ueRfpHnWxbxysRpcsUkBsma7vWvZjgQYi9jU9cY7wyiSQd9Zx (linked to the private key in my steemit post), while others overwrite it to control the keys themselves.

24 hours later The 5 EOS in the account are still in the process of unstaking. The account does not have any network resources remaining for new transactions and the account hasn't seen any new activity. I decide the fun and games are over, so I first delegate some network resources tot the account and then use https://eostoolkit.io/ with my owner key to reset the active key to a keypair that only I control.

24 hours later Hacker alepacheco11 admits defeat and gives up on the challenge!

  1. Some of my favorite block explorers for EOSIO Mainnet (in no particular order of preference)
    http://www.eosflare.com
    http://www.eospark.com
    http://www.eosweb.net
    https://www.eosquery.com
    https://eostracker.io/
    http://eosnetworkmonitor.io/

Thanks to all that participated in this challenge:

If you are interested in EOS related news and projects, please subscribe to my e-mail newsletter at http://www.eosinsider.io

Should I double down on this challenge?
Should we do this again? Please leave your comments below :-)

Sort:  

Hi @eosinsider this is alepacheco11 the “hacker” hahah. Nice to see the follow up. You were pretty brave doing this challange. Unfortunately I couldn’t test my last experiment on Sunday (the keys were changed)

Take care!

Send me a message if you want the 1 EOS back.

How can I change my active/owner keys? Is it only command line right now?

Is it correct the all the owner/active keys were the same for the snap shot?

I believe the post you need to do should thoroughly explain this part of the above challenge as it is the key to the security you are highlighting.
" Luckily, I still had an EOS OWNER key in my possession, linked to a different EOS public/private keypair ;-)"
And maybe a well written tutorial on generating safe key pair and new account linked to an owner account. I am considering changing my genesis accounts key pair for this very reason. if i did i would use this tutorial from gerereos
https://steemit.com/eos/@genereos/eos-how-to-quickly-and-safely-change-your-public-private-keys

really an great experiment and interesting. Can you locate his user name of EOs?

It would be great to have a step by step guide or explanation on how to set up our accounts in this way. I’m sure many would really appreciate that!

That's a +1 from me too. I would like to know...going to try working it out and make a post myself

I agree, When you consider that your Genesis account is created with the "Owner" and "Active" keys being the same, if your private key is compromised the hacker can reauthorize even if tokens are staked and then you would have no control of your account. I have created a few accounts for my children that have my account as the "Owner" and their key pair is associated with the "Active". I have also created an account that has its own key pair. My next step would be to change my keys on my genesis account, i am deciding how to generate a secure key pair offline for that, I assume that when i change that key pair that account will still be recognized as the owner of the other accounts. time will tell

Lol the haters won't see this........ They be looking for faults..... Eos has brought security to our Assets... Dare keep your Ethereum private keys in public

You lost all your RAM, didn't you? Seems RAM is not really protected by separating owner key from active key and staking...

Great experiment! Would be good to a couple things that result from this and would be great if you could share:

  1. What are the steps to creating a new account name from your first Identity (from genesis-block).
  2. Highlight that the important thing is the OWNER key here to successful security ;)

Fucking legend !

What app are you using to change keys for a given account? I've set up two alternate accounts with special names, but at some point when a hardware wallet becomes available, I'd like to switch out the associated pub/priv keys while keeping the account names.