An alleged failed update by an EOS block producer (BP) allowed an anonymous hacker to fling off 2.09 million EOS ($7.7 million) from a hacked account, as reported by EOS block producer EOS42 on Feb. 23.
According to a Telegram BPs are required to blacklist compromised accounts. Apparently, a new EOS block producer dubbed “games.eos” did not update the blacklist for EOS mainnet accounts on Feb. 22.
The security team of major global crypto exchange Huobi observed detected assets pouring from EOS blacklisted accounts into Huobi accounts, by using blacklist data from EOS Core Arbitration Forum (ECAF). Subsequently, the platform froze the accounts and the associated assets, as per a tweet on Feb. 23.
On Feb 22 at 17:35 (GMT+8), the Huobi Security team monitored that #ECAF (EOS Core Arbitration Forum) blacklisted accounts had sudden flow of assets into Huobi accounts. These $EOS accounts have subsequently been frozen, including relevant assets related to these accounts.
— HuobiGlobal (@HuobiGlobal) February 23, 2019
After the incident, EOS42 made a new proposal that suggests nullifying the keys of blacklisted accounts instead of providing a veto power to a single BP on the EOS mainnet. As per EOS42, nullifying the keys is a more effective option than a “‘broken’ blacklist” as it still allows an account to be saved and returned to its rightful owner.
Capped at 21, the BPs candidates could replace each other through a constant voting process. EOS24 adds that several accounts have been blacklisted based on ECAF orders in which the victim’s accounts were hacked.