Hackers transfer 2.09 million EOS after a blacklist update failure

Getting your Trinity Audio player ready...

Hackers managed to transfer 2.09 million EOS ($7.7 million) from a hacked account reportedly due to an alleged failed update by an EOS block producer (BP). EOS reported the news through a Telegram post on February 23.

Reportedly, the hack occurred on Feb 22 when a new EOS block producer named “game.eos” failed to update the blacklist for EOS mainnet accounts. Traditionally, the EOS blockchain is created with a feature that requires BPs to blacklist compromised accounts. The feature also needs the top 21 accounts to blacklist a specific account for the blacklist feature to function correctly.

Huobi’s security team detected the hack. The team discovered assets were pouring in from EOS blacklisted accounts into Huobi accounts. They managed to freeze the accounts and related asset. The team was able to identify this transfer with the help of blacklisted data from EOS Core Arbitration Forum (ECAF).

In a tweet, Huobi stated:

“On Feb 22 at 17:35 (GMT+8), the Huobi Security team monitored that #ECAF (EOS Core Arbitration Forum) blacklisted accounts had a sudden flow of assets into Huobi accounts. These $EOS accounts have subsequently been frozen, including important assets related to these accounts.”

Due to the hack, EOS42 has made a new proposal that suggests BPs nullify keys of blacklisted accounts. This would mean the end of veto power to a single BP on the EOS mainnet. Reportedly, the new proposal is much more effective than a “broken blacklist.” It also allows an account to be saved and returned to its apt owner.

The EOS system allows for 21 BPs who can be replaced by other candidates through constant voting process. This was done as per the ECAF orders.

EOS launched its mainnet last year in June. Since then, this platform has faced various challenges. In September 2018, hackers managed to steal about $58,000 worth of token from exchange Newdex. Reportedly, these hackers issued 1 billion units of token called “EOS.” The exchange later realized that the hackers had issued 11,800 fake EOS.

In the same month, an EOS-based platform lost $250,000 worth of EOS coins after unknown people attacked its platform.