Hacker steals $7.7 million in EOS cryptocurrency after blacklist snafu

One of 21 EOS blacklist maintainers failed to update its list, allowing the hacker to make off with the stolen funds.
Written by Catalin Cimpanu, Contributor
Logo copyright: EOS // Composition: ZDNet

A hacker has stolen $7.7 million worth of EOS cryptocurrency after one of the 21 maintainers of an EOS blacklist failed to do its job.

The hack came to light on Saturday, February 23, in a Telegram public post by EOS42, a web-based community of EOS cryptocurrency owners.

EOS42 (also known as EOS Go) said that one of its users had their EOS account compromised by a hacker on February 22.

After discovering the hack, the unnamed user followed a normal security procedure that was hard-coded inside the EOS blockchain code to allow the blacklisting of malicious accounts.

The procedure implied notifying the top 21 "block producers" (a term used to describe the most efficient miners of new EOS cryptocurrency) of the malicious account's EOS address.

The 21 top block producers would then update a blacklist of banned EOS addresses that cryptocurrency exchanges would use to ban malicious accounts from interacting with their platforms, preventing hackers and other entities from moving stolen funds.

The procedure was put in place to prevent hackers from stealing funds, but it did not work as intended over the weekend.

"All top 21 Block Producers must have their blacklist updated. If only one top 21 BP does not have an updated blacklist, hacked accounts are vulnerable to being emptied," said the EOS42 team in a Medium blog post.

"This scenario played out in the last 24hrs when a newly rotated top 21 BP failed to apply the blacklist. Unfortunately, one blacklisted account holding [2 million] EOS began to be emptied," EOS42 said.

The EOS block producer who failed to update its blacklist was identified as games.eos, a platform for developing EOS-based blockchain games, which recently entered the top 21 block producer ranking and was not running an up-to-date blacklist.

According to current reports, the hacker moved 2.09 million EOS coins from the hacked account to several accounts at various cryptocurrency exchanges.

Following the EOS42 Telegram post, the Huobi exchange platform froze accounts to which the hacker sent funds. However, the hacker got away with a nice sum, as not all exchanges did the same.

Following the incident, EOS42 is now proposing that the EOS blockchain maintainers replace the shoddy "blacklist" mechanism with a more democratic system where if 15 out of 21 EOS block producers update their blacklist, an account key is nulled, blocking access to the hacked account.

This opens the door for quicker takedowns of hacked accounts, but also to the possibility of re-enabling access for the account's legitimate owner down the line.

EOS42 argued that the previous blacklist approach was flawed because "in the most egregious form, any hacker could corrupt one BP by incentivizing them with a reward for 'failing' to update their blacklist."

2018's worst cryptocurrency scams, cyberattacks (in pictures)

Related cybersecurity news coverage:

Editorial standards