Zhou Hongyi talks about the "epic" vulnerability of blockchain: the real security problem has not yet come out.

2025年11月12日 | admin | dfdsfg
On May 29, 360 released a report on high-risk security vulnerabilities involving EOS, calling it "an epic vulnerability in blockchain", which can completely control virtual currency transactions. Zhou Hongyi sent Weibo to claim that this loophole is worth more than "billions of dollars". If it is illegally exploited, EOS and even the entire virtual currency market will encounter waterloo in serious cases.
After the release of the report, the price of EOS in digital currency, which ranks fifth in the world market value, fell by about 10% a day, and then rose again.
Screenshot of Zhou Hongyi Weibo
Is this loophole really so widespread? Let’s first understand three questions.
What is EOS?
EOS is a new blockchain platform called "Blockchain 3.0", which aims to provide the underlying blockchain platform services for high-performance distributed applications. Its goal is to realize a blockchain architecture that supports distributed applications similar to an operating system.
If you make an analogy, EOS is like the Windows operating system, except that this operating system supports distributed applications (DAPP) and can support thousands of distributed applications (DAPP) running on the platform at the same time.
The architecture of EOS can provide accounts, authentication, database, asynchronous communication and program scheduling and parallel operation on tens of thousands of CPU/GPU clusters. EOS can eventually support the execution of millions of transactions per second, while ordinary users do not have to pay for the use of smart contracts. At present, the market value of its token EOS is as high as 69 billion RMB, ranking fifth in the global market value.
What’s the leak?
According to the report of 360, this vulnerability is a buffer out-of-bounds writing vulnerability, which belongs to the program vulnerability of malicious smart contracts at the bottom of EOS. Through this vulnerability, an attacker can upload a malicious smart contract to the node server, and then the node server will analyze the malicious contract, and then the malicious contract will be executed on the server and then control the node server.
After controlling the node server, the attacker can steal the private key of the super node, package the malicious contract into a new block, and then further control all nodes in the EOS network.
How was the leak discovered?
Zheng Wenbin, chief security engineer at 360 on the afternoon of 29th, said that as early as May 11th this year, there was a vulnerability of remote code execution in EOS. At 1 pm on May 28th, 360 completed the demonstration of controlling the whole EOS network by using the vulnerability, which verified the operability of this vulnerability. Late at night on the 28th, 360 synchronized the details of the vulnerability to the EOS project. On May 29th, the vendor fixed the vulnerability on GitHub, an open source software project hosting platform, and solved the problem.
Today, Zhou Hongyi, China Maker’s mentor, founder, chairman and CEO of 360 Company, initiated a dialogue with Wang Feng, founder of Blueport Interactive and founder of Mars Finance, in the "3 o’clock Mars Finance Founding Learning Group", and described in detail the process of 360 disclosing serious security vulnerabilities in EOS and his views on blockchain security issues.
Zhou Hongyi/vision china
"It is no exaggeration that this loophole is worth tens of billions of dollars."
Q: On May 29th, 360 broke the news about the serious security vulnerability of EOS, and then 360 announced the cooperation with projects such as Coin ‘an, Eurochain, EOS LaoMao and Dbank in one day. Why?
Zhou Hongyi: We are experts in security, so we began to pay attention to blockchain security at the end of last year and the beginning of this year. Although many blockchain and digital currency designs are advertised as very safe, any software system, as long as it is very complex, will bring bugs and loopholes, and once it is used, it will bring risks and security problems.
Before, everyone was concerned about the business opportunities brought by the blockchain, but few people paid attention to the security of the blockchain. We have recently discovered that many blockchain systems, exchange systems and wallet systems have security problems. EOS is ready to go online, which is very representative in the blockchain industry. We found EOS vulnerabilities this time and submitted them to the other party, hoping to urge them to fix the system.
Many people cooperate with us, which shows that people are beginning to pay attention to safety.
We are very open and have no position. We are willing to help all players protect users’ safety and hope to develop the security ecology of the blockchain industry.
Q: Before 360 announced the #3498 EOS vulnerability, 3497 EOS bugs had been submitted on Github, but few people paid attention to its impact. What do you think of the severity of the security breach disclosed yesterday? Why do 360 security guards call it an "epic" vulnerability on Weibo?
Zhou Hongyi: If the vulnerability is exploited, it can control every node and every server in the EOS network, which not only takes over the virtual currency, various transactions and applications in the network, but also all the participating servers in the node. Once you get the server permission, you can do whatever you want.
If someone makes a malicious smart contract, they can take away all the digital currency in it directly.
For blockchain networks, the seriousness of this vulnerability can be imagined.
Let’s talk about "epic". Everyone must know the importance of EOS in the history of blockchain development. If we didn’t put forward this vulnerability, EOS didn’t fix it. When the vulnerability was discovered and exploited by malicious hackers on the main online line of EOS, then EOS would be destroyed overnight. We can’t say.
EOS is now valued at at least $10 billion, so I don’t think it’s an exaggeration that this loophole is worth $10 billion.
In addition, "Epic level" is a term in the security circle. Translated from "epic", foreign security communities often use "Epic bug" or "Epic fail" to describe major security vulnerabilities.
Q: In the early morning of 30th, BM, the founder of EOS, responded to the EOS security vulnerability disclosed by 360 in the telegraph group, saying that the vulnerability mentioned in the 360 report had already been fixed by EOS, and it was earlier than the time when 360 released the report, and the vulnerability could not rewrite the executable memory. It implies that 360 creates panic, and declares that any behavior that provokes market panic will be disqualified. What do you think of this?
Zhou Hongyi: Our security team first contacted the BM team directly on May 28th. Specifically, we contacted BM privately first, and informed them of the EOS vulnerability, hoping that they would fix it first. There were screenshots of chat records, and we will release this vulnerability announcement after the fix.
The vulnerabilities disclosed by our security vendors to the public must be communicated with each other first, submitted to each other for repair, and then we will make them public after they confirm the repair.
Because if EOS is not fixed, we will publish it, and there will definitely be a wave of hackers attacking it immediately, so of course, we will publish the report later than the repair time.
This is the same for all security vulnerabilities of Microsoft, Google, Apple, etc. We first dig the vulnerabilities, and then we will study how they will be exploited by hackers. Thoroughly study these studies, and then report to the relevant manufacturers, such as this EOS, that is, report how to use the video and the detailed code involved to the other party; However, we will not announce it until the other party confirms the repair.
The vulnerabilities we submitted are confirmed to be true and effective by EOS officials, and we have been communicating with EOS officials and BM about the submission and characterization of vulnerabilities. Moreover, when communicating with BM this morning, they still agreed with our achievements and technical strength.
Zhou Hongyi/vision china
"The real security problem in the blockchain field has not yet come out."
Q: The release of the EOS vulnerability event made the Vulcan team famous in World War I, can you tell us more about them? Rumor has it that you and EOS will soon have cooperation to announce. Is it convenient for you to disclose it?
Zhou Hongyi: Team 360 Vulcan was originally the attack and defense research team of our 360 security guards. One year, they were going to participate in Pwn2Own, a relatively powerful world hacking competition, so they formed a group, namely Team Vulcan.
At present, we have no direct cooperation with EOS. Blockchain security is an issue that we have been paying attention to. In addition, 360 is also an Internet technology enterprise. For major public chains like EOS, we have been investing in technical research. Since the beginning of this year, we have had exchanges and discussions with some partners on EOS ecological construction, safety protection, competition of main nodes and so on.
Q: There are rumors in the workshop. Yesterday, 360 exposed security vulnerabilities, which triggered all kinds of speculations and heckles. It was said that 360 and some organizations were shorting EOS. What do you think?
Zhou Hongyi: You should know from the time when we disclosed the loophole that we are definitely not shorting.
If I really want to maliciously short, I can completely cover it and wait for the EOS main online line to explode directly.
What we are doing now is the standard vulnerability notification mechanism in the security industry. We first contact the EOS team and submit the details of the vulnerability, and then we will announce it to the public after they have fixed it. This is a very responsible approach. We hope that EOS and even the entire blockchain industry will develop better.
Q: Apart from EOS, I have noticed that there have been several serious security incidents in Ethereum. For other blockchain projects, we need to be extra alert to security risks. What measures do you think blockchain enterprises themselves should take to strengthen the security of blockchain?
Zhou Hongyi: I think the real security problem in the blockchain field has not come out yet.
Through this disclosure of EOS vulnerabilities, we hope that everyone can pay attention to blockchain security issues.
Two situations in the network security industry are the most terrible. One is to be an ostrich in the desert and know not to change; There is also a kind of knowledge that does not explode and is finally used.
I’m bringing up a concept recently, which is called "great security". To put it simply, the influence of network security has evolved from the initial simple information security to the threat of network attacks from online to offline, and there are more and more new threats. As a new technology in the past two years, the blockchain has encountered security threats, and I also classified it as a new threat.
In this case, it is definitely limited to rely on an enterprise’s own security protection ability, and conversely, it is not enough to rely on a security company like 360, so the whole security industry needs to be developed. In addition, some vulnerability reward programs can be made, so that the whole security community can help solve security problems. We help Google, Microsoft and Apple solve many problems every year. They all have their own vulnerability reward programs to reward teams that submit vulnerabilities.
Q: If 360 enters the blockchain industry, where are the opportunities for 360?
Zhou Hongyi: When we look at the blockchain and set foot in the blockchain, we will definitely focus on security. In the future, there will be more security problems in the blockchain industry. The security problems encountered in the traditional Internet field will definitely be encountered in the blockchain industry.
This is our opportunity. Of course, we also have the confidence and strength to take responsibility in it and protect the healthy, stable and safe development of the blockchain industry.
Q: Can you introduce the layout and scheme of 360 in blockchain security, such as how to do exchange security? How to do mine pool safety? What about smart contract security?
Zhou Hongyi: We will launch three systems based on blockchain security ecology in the future, mainly including digital currency wallet security audit system, blockchain security situational awareness system and blockchain node security solutions.
In digital currency wallet security audit system, some audit points will be listed in detail, and how to make a safer digital wallet will be expounded, so as to ensure the property safety of users.
Blockchain security situational awareness system is a system based on 360 security brain, which can automatically monitor abnormal blocks, abnormal transactions, abnormal addresses and smart contracts, which can not only minimize transaction risks, but also trace illegal digital currency; Blockchain node security solutions are currently mainly aimed at EOS.
360 released blockchain security situational awareness system.
"The code is written by people, and there will definitely be loopholes."
Q: What is the boundary of security business defined by 360?
Zhou Hongyi: We are concerned about the security of artificial intelligence or blockchain, and they all have one thing in common, and they all need to be implemented by writing code. And the code is written by people, and there will definitely be loopholes.
For new things, while seeing the bright side, I will unconsciously see their potential security risks. People who engage in security are more like a "gatekeeper", and they should always be suspicious and guarded.
Regarding the border, we are now entering a big security era. I don’t think we can block the border of security business. In the network security industry, more and more security problems will appear. This is a challenge for 360, but it is also our opportunity.
As an entrepreneur’s point of view, or from the point of view of enterprise operators, enterprises should not be locked in one thing. Our core is the safety gene. Based on this, our boundary is a limited and infinite boundary.
Q: Unlike the first-Mover advantage in the PC Internet era, the 360 advantage in the mobile Internet era is not obvious. Will this make you feel lost? You are an indomitable person. Will this be the driving force for 360 to enter the blockchain one day?
Zhou Hongyi: In the security industry, the excitement is also very exciting. Whether it was the ransomware in May last year or the EOS vulnerability yesterday, the whole industry immediately paid attention to you.
At the same time, safety is also a thing that needs to endure loneliness and long-term efforts.
In recent years, we have accumulated a lot of original core technologies. For example, the cyberspace big data of 360 security brain is currently the largest in the world. Because of these big data and data centers, 360 security brain’s situational awareness, intelligent killing, attack and defense and traceability, including emergency response, are now very competitive all over the world.
I don’t admit defeat, not that I have to enter the blockchain, but I hope to continue to play the role of 360 security guardian in the new era of great security. After the application of blockchain, it is possible to go deep into many aspects of life and production. Of course, 360 hopes to act as a "guardian" to escort the application of blockchain.
Reporting/feedback