A hacker allegedly moved 2.09 million EOS worth approximately $7.7 million that had been hacked as a result of a failed update that was undertaken by an EOS block producer (BP).
The failure and subsequent transfer of the funds from the hacked account was revealed on February 23 via a Telegram post by one BP EOS42.
One of EOS’ security measures is contained in a feature that requires all BPs to blacklist an identified compromised account to make it possible for the blacklisting function to work correctly.
It is alleged that one block producer identified as “games.eos” failed to update the blacklist on February 22, an eventuality that saw the millions of EOS tokens moved.
The breach was subsequently discovered by crypto exchange Huobi’s security team, with the exchange announcing on February 23 that it was able to intercept and freeze the accounts and assets of the anonymous hacker deposited into Huobi accounts.
The exchange’s security team used the blacklist data obtained from the EOS Core Arbitration Forum (ECAF). The group explained that it had detected massive movement of assets from accounts blacklisted by EOS into those on Huobi.
EOS uses the Delegated proof of Stake (DPOS) consensus algorithm that has 21elected block producers who secure the network by making decisions and approving blocks.
Block producers on the EOS mainnet is capped at 21 a number that is maintained through voting with BP candidates always vying to replace one another.
In the aftermath of the incident, EOS42 proposed that changes be made to adopt a new strategy that significantly deviates from the one being used at the moment.
According to EOS42, the new proposal would see the BPs invalidate keys of blacklisted accounts, which the block producer said was more effective compared to using a “‘broken’ blacklist.”
The BP argued that nullifying keys of blacklisted accounts using ‘eosio.wrap’ gives the team a chance to “stop any loss of funds” and could help in restoring “the integrity of 15/21 DPOS consensus.”
Per the blog post, adopting the new measure would be better than having a situation where a single (potentially compromised) block producer can veto the rest of the network.
Also notable is that rotating the top 21 BPs means there is that one chance that a block producer that hasn’t updated the blacklist gets an opportunity to become one of the 21.
EOS24 highlighted that several accounts on the EOS blockchain had been blacklisted in the last several months on orders of the ECAF, with most of these accounts falling victim to hackers.
The EOS mainnet launched in June last year, with its year-long initial coin offering (ICO) netting $4 billion, and is currently ranked fourth among the largest cryptocurrencies by market capitalization.
EOS/USD is trading at $3.5 at the moment and has a market cap of $3.17 billion according to XBT.net.
Disclaimer: This is not investment advice. Cryptocurrencies are highly volatile assets and are very risky investments. Do your research and consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.