Critical EOS Blockchain Flaws Enable Remote Code Execution and Full Node Takeover

360 Vulcan team discovered a series of high‑risk security vulnerabilities in the EOS blockchain platform, some of which enable remote code execution on EOS nodes, allowing attackers to take control of all nodes.

On the 29th, 360 promptly reported the flaws to EOS officials and helped remediate them; EOS network officials said the network will not go live until the issues are fixed.

Traditional software bugs can cause data leaks, but blockchain vulnerabilities can have far more severe consequences because they affect a financial system; a single node flaw can compromise thousands of nodes, and even low‑severity denial‑of‑service bugs could cripple an entire blockchain network.

EOS Supernode Attack: Virtual Currency Transactions Fully Controlled In the attack, the attacker creates and publishes a malicious smart contract; EOS supernodes execute this contract and trigger the vulnerability. The attacker then uses the compromised supernode to package the malicious contract into new blocks, gaining remote control over all full nodes, including exchange deposit/withdrawal nodes and wallet servers.

With full control of the node systems, attackers can steal supernode keys, hijack virtual‑currency transactions, exfiltrate financial and privacy data such as exchange holdings, wallet keys, and user profiles, and even turn network nodes into botnet members to launch attacks or mine other cryptocurrencies.

EOS is a “blockchain 3.0” platform with a market cap of 69 billion RMB, ranking fifth globally. Numerous attack surfaces exist in nodes, wallets, mining pools, exchanges, and smart contracts, and 360’s security team has previously disclosed many severe vulnerabilities in these components.

The newly discovered vulnerabilities in EOS’s smart‑contract virtual machine represent unprecedented security risks that could affect other blockchain platforms; 360 hopes the disclosure will raise industry awareness and improve blockchain network security.