Two Million EOS Hack: What Happened and How to Prevent It from Happening Again?
Written by Dmitriy Perelstein - theEOSwriter Senior Writer
If you haven’t watched an old heist comedy called “How to Steal a Million” starring Audrey Hepburn and Peter O’Toole, now is a good time to fill that cinematographic knowledge gap. In the last couple of days there’s been a lot of buzz in the crypto community about the 2 million EOS hack.
Unfortunately, we will likely never find out if the heist was executed by a couple with similar sex-appeal as the two main characters in the movie. However, as the details of the hack have come to light, everyone and their mother decided to chime in and point blaming fingers at the inefficiency and fragility of the current EOS governance system.
EOS critics, enjoying the moment of weakness, have been particularly vocal.
Some of the critics have been more arduous than others calling EOS, currently the most successful blockchain in crypto, a cult:
I haven’t yet seen any comments from other Ethereum proponents, but I am sure they won’t make us wait too long either.
But let’s be honest, some criticism is very much justified.
If you like a video format, check out this video from our friends at ShEOS, Ben Sigman and Crystal Rose, who have done a great job explaining details behind the hack:
If you prefer to read articles, Breakermag have done a great job summarizing it for us and even went into the depths of explaining how the BP voting and incentivizing processes work. You can find their article here.
In short, here’s what happened though:
The actual hack occurred back in October 2018, when 2+ million EOS has been stolen from an account.
A group of BPs caught the theft early enough due to the 3 day unstaking process and was able to freeze the account the stolen tokens were transferred into.
That account has been added to the so-called “blacklist”, a list of accounts that is frozen from transacting with any other account on the blockchain
In order for the blacklist to work effectively, all 21 Block Producers need to maintain that list at all times.
New BP who failed to maintain the blacklist became voted into the top 21 BPs.
As a result of the oversight by this BP, the blacklisted hacker’s account became temporarily unfrozen and hacker was able to transfer tokens out of it into a myriad of other newly-created accounts, which made tracing of these funds more difficult.
Still Questions Remain
Despite all the answers we received recently there are still some questions that remain:
How did a relatively unknown and young Block Producer, such as Games.EOS, was able to achieve such popularity to reach the top 21 role?
Why was there a breakdown in communications with a top 21 BP? Why was it so difficult to reach a top 21 producer?
Even if a hacker was able to move tokens from one blacklisted account into multiple new ones, can the assets still be traced using a blockchain explorer functionality? All of the transfer TXs still remain written into the blockchain. Yes, it becomes a lot more tedious and time consuming to trace hacker transactions, but it can be done, right?
How to Prevent Such Hacks in the Future?
According to some of the BPs the situation we are in right now with a manual management of the blacklist would inevitably lead to critical errors. There are a few ways this situation can be avoided going forward.
One such solution is to use a multi-sig security mechanism or a time-delayed permission. Another is to nullify the keys for the blacklisted accounts. Only time will tell how long it will take a coordinated effort to implement such solutions to materialize. But we are hopeful about the positive outcome!