Hacker Transferred 2.09 mln EOS To Huobi Due To Blacklist Update Failure

An anonymous hacker managed to transfer EOS 2.09 mln (approximately $7.7 mln) from a hacked account due to a probably failed blacklist update by the EOS block producer (BP), which was signaled in BP EOS42 Telegram channel.

The EOS blockchain contains a function that requires BP to put the hacked accounts to the blacklist. In order for the blacklist to function properly, all TOP-21 BPs should enter a specific account into the list. On February 22, a new producer of EOS blocks, called “games.eos”, probably, did not update the blacklist of EOS accounts, which allowed the hacker to operate.

The security system of cryptocurrency exchange Huobi recorded the movement of assets to their accounts using the data obtained from the blacklist of the EOS Core Arbitration Forum (ECAF). Following that, Huobi froze accounts and related assets, posting a tweet about the incident.

On Feb 22 at 17:35 (GMT+8), the Huobi Security team monitored that #ECAF (EOS Core Arbitration Forum) blacklisted accounts had sudden flow of assets into Huobi accounts. These $EOS accounts have subsequently been frozen, including relevant assets related to these accounts.

— Huobi (@HuobiGlobal) 23 февраля 2019 г.

Consequently, EOS42 made a proposal to nullify the blacklisted account keys instead of providing veto power to a single BP in the EOS network. According to EOS42, the key nullification option is more efficient and allows to save the account and return it to the rightful owner.

Image courtesy of Lachaine crypto