Cyber Incident Victim: EOSPlay
Date:
Sep 2019
Location:
—
Summary
A hacker exploited an alleged bug in a blockchain-based betting platform by leveraging EOS REX, a decentralized finance service, to manipulate transaction processing and secure continuous wins, resulting in the theft of approximately 30,000 EOS (over $110,000) while spending only around $1,000. The attack caused significant network congestion, with conflicting reports on whether it froze the EOS blockchain—some users claimed disruptions to decentralized applications and wallets due to CPU resource exhaustion, while network representatives asserted it merely overloaded bandwidth without halting core operations. Despite the incident, the EOS cryptocurrency price increased notably during the period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 14, 2019, an attacker exploited a vulnerability in EOSPlay, a decentralized betting application on the EOS blockchain, stealing approximately 30,000 EOS (valued at over $110,000) while spending only 300 EOS ($1,200) to execute the attack. The hacker leveraged EOS REX (Resource Exchange), a decentralized finance platform allowing users to lend EOS tokens in exchange for additional CPU resources on the network. By utilizing REX to acquire substantial CPU bandwidth, the attacker flooded the blockchain with high-volume transactions, ensuring their bets consistently dominated block space and resulted in consecutive wins on EOSPlay. This transaction spamming strategy effectively manipulated the game's mechanics to guarantee favorable outcomes. The attack caused significant network congestion, with some users reporting temporary disruptions to DApp functionality and wallet operations due to strained CPU availability. Blockchain explorer data indicated the incident lasted approximately one hour, during which the attacker executed multiple winning transactions in rapid succession. EOSPlay's smart contract design failed to mitigate this resource-based manipulation, enabling the financial theft.
EOS chief technology officer Daniel Larimer publicly addressed the incident, clarifying that the network itself operated correctly despite the congestion, comparing the situation to transaction spam attacks occasionally experienced by Bitcoin or Ethereum. He emphasized that core token holders retained network access, while only surplus "free" bandwidth became unavailable during the peak activity. User reports conflicted regarding the severity of network disruption, with entrepreneur Jared Moore and others claiming temporary blockchain freezes affecting DApps and wallets, while Reddit users cited Blocks.io explorer data showing continued block production throughout the incident. Despite these operational concerns and associated fear, uncertainty, and doubt (FUD), EOS cryptocurrency prices rose approximately 8.3% within 24 hours, climbing from $3.70 to over $4.00 and outperforming other top-20 cryptocurrencies by market capitalization at the time. No containment measures or protocol-level responses by EOS developers were documented in available reports, and EOSPlay's subsequent adjustments to prevent similar exploits remained unconfirmed in the source material.