A purported failure to update the EOS blacklist allowed an anonymous hacker to move 2.09 million EOS.
An anonymous hacker managed to move 2.09 million EOS ($7.7 million) from a hacked account due to an alleged failed update by an EOS block producer (BP), according to a Telegram post by EOS block producer EOS42 on Feb. 23.
The EOS blockchain has a feature that requires BPs to blacklist compromised accounts; all top 21 BPs are required to blacklist a certain account in order for the blacklist to function properly. On Feb. 22, a new EOS block producer dubbed “games.eos” apparently did not update the blacklist for EOS mainnet accounts.
Subsequently, the security team of major global crypto exchange Huobi — using blacklist data from EOS Core Arbitration Forum (ECAF) — detected assets pouring from EOS blacklisted accounts into Huobi accounts. Huobi subsequently froze the accounts and the associated assets, according to a tweet on Feb. 23.
Following the accident, EOS42 made a new proposal, suggesting to nullify keys of blacklisted accounts instead of providing a veto power to a single BP on the EOS mainnet. Per EOS42, the option to nullify keys is more effective than a “‘broken’ blacklist” and still allows an account to be saved and returned to its rightful owner.
The number of BPs is capped at 21, with BPs candidates able to replace each other through a constant voting process. Per EOS24, several accounts have been blacklisted based on ECAF orders in which the victim’s accounts were hacked.
EOS, the fourth largest cryptocurrency by market cap today, launched its mainnet in June 2018 following the completion of its $4 billion token sale. Commentators have expected EOS to compete with Ethereum (ETH) as a protocol with which to build decentralized apps (DApps).