Hacker steals $7.7 million in EOS cryptocurrency after blacklist snafu
A hacker has stolen $7.7 million worth of EOS cryptocurrency after one of the 21 maintainers of an EOS blacklist failed to do its job.
Security
The hack came to light on Saturday, February 23, in a Telegram public post by EOS42, a web-based community of EOS cryptocurrency owners.
EOS42 (also known as EOS Go) said that one of its users had their EOS account compromised by a hacker on February 22.
After discovering the hack, the unnamed user followed a normal security procedure that was hard-coded inside the EOS blockchain code to allow the blacklisting of malicious accounts.
The procedure implied notifying the top 21 "block producers" (a term used to describe the most efficient miners of new EOS cryptocurrency) of the malicious account's EOS address.
The 21 top block producers would then update a blacklist of banned EOS addresses that cryptocurrency exchanges would use to ban malicious accounts from interacting with their platforms, preventing hackers and other entities from moving stolen funds.
The procedure was put in place to prevent hackers from stealing funds, but it did not work as intended over the weekend.
"All top 21 Block Producers must have their blacklist updated. If only one top 21 BP does not have an updated blacklist, hacked accounts are vulnerable to being emptied," said the EOS42 team in a Medium blog post.
"This scenario played out in the last 24hrs when a newly rotated top 21 BP failed to apply the blacklist. Unfortunately, one blacklisted account holding [2 million] EOS began to be emptied," EOS42 said.
The EOS block producer who failed to update its blacklist was identified as games.eos, a platform for developing EOS-based blockchain games, which recently entered the top 21 block producer ranking and was not running an up-to-date blacklist.
According to current reports, the hacker moved 2.09 million EOS coins from the hacked account to several accounts at various cryptocurrency exchanges.
Following the EOS42 Telegram post, the Huobi exchange platform froze accounts to which the hacker sent funds. However, the hacker got away with a nice sum, as not all exchanges did the same.
On Feb 22 at 17:35 (GMT+8), the Huobi Security team monitored that #ECAF (EOS Core Arbitration Forum) blacklisted accounts had sudden flow of assets into Huobi accounts. These $EOS accounts have subsequently been frozen, including relevant assets related to these accounts.
— HuobiGlobal (@HuobiGlobal) February 23, 2019
Following the incident, EOS42 is now proposing that the EOS blockchain maintainers replace the shoddy "blacklist" mechanism with a more democratic system where if 15 out of 21 EOS block producers update their blacklist, an account key is nulled, blocking access to the hacked account.
This opens the door for quicker takedowns of hacked accounts, but also to the possibility of re-enabling access for the account's legitimate owner down the line.
EOS42 argued that the previous blacklist approach was flawed because "in the most egregious form, any hacker could corrupt one BP by incentivizing them with a reward for 'failing' to update their blacklist."
2018's worst cryptocurrency scams, cyberattacks (in pictures)
Related cybersecurity news coverage:
- Hackers can hijack bare-metal cloud servers by corrupting their BMC firmware
- A third of all Chrome extensions request access to user data on any site
- ICANN: There is an ongoing and significant risk to DNS infrastructure
- New browser attack lets hackers run bad code even after users leave a web page
- Researchers break digital signatures for most desktop PDF viewers
- It took hackers only three days to start exploiting latest Drupal bug
- Major vulnerability found in Android ES File Explorer app TechRepublic
- Xiaomi electric scooter reportedly vulnerable to hijacking hack CNET