EOS Hacked – 2.09 million EOS Lost due to Blacklist Update failure

Cryptocurrency by Blockspectator  | 1 year ago
2 min read

A hacker has managed to steal approximately 2.9 million EOS tokens ($7.7 million) from a hacked account as a result of an EOS block producer’s failure to update its blacklist feature.

A submission on the EOS community read:

“EOS accounts blacklist issue.

On Feb 22, 2019, a new Active BP (games.eos) did not update the blacklist for EOS mainnet accounts. The blacklist is used to freeze accounts that were hacked. Due to the blacklist not updated, one of these frozen account’s attacker managed to transfer 2.09 million EOS.

EOS42 recently proposed a solution for the blacklist issue. At the moment for the blacklist to function, all BPs need to update the blacklist manually. Only 1 blacklist not updated will bypass this.

While the BOS sidechain already implemented an on-chain multisig blacklist mechanism, which does not require a separate configuration for each BP.”

The EOS blockchain contains a function that requires Block Producers to place any hacked accounts on its blacklist. To enable the blacklist to function correctly, every TOP-21 BPS are required to submit a specific account into the list. However, on February 22nd, a producer of EOS blocks called, ‘games.eos.’ most likely failed to update the EOS blacklist, allowing the hacker the opportunity to execute their operation.

Following this hack, cryptocurrency exchange Huobi recorded the movement of the tokens into one of their accounts from data obtained from the blacklist, provided by the EOS Core Arbitration Forum (ECAF). As a result, Huobi froze all related accounts and assets and sent out this tweet:

“On Feb 22 at 17:35 (GMT+8), the Huobi Security team monitored that #ECAF (EOS Core Arbitration Forum) blacklisted accounts had a sudden flow of assets into Huobi accounts. These $EOS accounts have subsequently been frozen, including relevant assets related to these accounts.”

The EOS team proposed a new solution which suggested the elimination of keys concerning any accounts on the blacklist, instead of allowing a BP to hold a veto within the mainnet. The solution will allow the account to be returned to its original owner, and seems more convenient that working with the blacklist.

Source