Games.eos, a “Top 21” staker (“block producer” or “most efficient miner”) of the newer cryptocurrency network EOS, failed to update their blacklist of hacked EOS accounts recently, and left the door open for a hacker to drain $7.7 million USD in EOS tokens from a compromised account, ZDNet reports.
News of the hack reportedly surfaced last Sunday, February 23rd, on the EOS Telegram forum EOS42.
According to forum user “EOS Go” and ZDNet, an EOS investor noticed one of his or her accounts had been hacked on February 22nd, and, “followed a normal security procedure that was hard-coded inside the EOS blockchain code to allow the blacklisting of malicious accounts.”
Unfortunately, one of the EOS 21 stakers failed to update their blacklist, which was set up to, “prevent…hackers and other entities from moving stolen funds.”
According to a blog post issued by EOS 42 on Medium,
“All top 21 Block Producers must have their blacklist updated. If only one top 21 BP does not have an updated blacklist, hacked accounts are vulnerable to being emptied.”
And that appears to be what happened when, “one blacklisted account holding [2 million] EOS began to be emptied.”
EOS42 is now reportedly advocating that the “EOS community” rid itself of the consensus blacklist approach in favour of automatic, cross-network blacklisting if 16 out of 21 “block producers” agree to “null the account key” and block an account.
“This opens the door for quicker takedowns of hacked accounts, but also to the possibility of re-enabling access for the account’s legitimate owner down the line,” ZDNet writes.
EOS 42 also advocated that the previous blacklist system was problematic because, “in the most egregious form, any hacker could corrupt one BP by incentivizing them with a reward for ‘failing’ to update their blacklist.”
According to FX Street, the price of EOS dropped by 4% (from $3.63 to $3.48 USD) after the story of the hack broke.