Blacklist Fail Allows Hacker to Steal $7m in Cryptocurrency

A hacker managed to steal over $7m in cryptocurrency last week after a blacklisting system failed to do its job and protect a compromised account.

The incident was revealed at the weekend by EOS42, a London-based community and one of the “block producers” (BPs) behind the EOS digital currency.

It explained that a blacklist is used to effectively freeze any accounts that may have been hacked. However, it is maintained by 21 block producers, which are custodians of the EOS.IO blockchain and the biggest miners of the currency.

These entities are rotated on a regular basis, but all 21 need to manually update the blacklist for it to function. Unfortunately, a newly active block producer, games.eos, did not.

This allowed the hacker to slip two million EOS from the compromised account.

EOS42 proposed a new system to mitigate the issue, in which if 15 out of the 21 block producers update their list the result is carried and blacklisted accounts will be cauterized to stop any funds escaping.

These accounts could still be saved and returned to their rightful owners once the hacker has been kicked out, it argued.

“The blacklist ‘loophole’ essentially gives a single BP veto power over 15/21 DPOS consensus. In the most benign form, a block producer can neglect to update the blacklist on their producing node, resulting in one BPs mistake overriding a decision that was made by 15/21. In the most egregious form, any hacker could corrupt one BP by incentivizing them with a reward for ‘failing’ to update their blacklist,” EOS42 wrote.

“We should adamantly reject any mechanism whereby 15/21 consensus is fundamentally undermined. On the basis of this principle alone, we suggest nulling the keys of blacklisted accounts as an interim solution. Nulling keys will maintain the integrity of 15/21 consensus, and provide ample protections until the EOS community decides how to handle the current blacklisted accounts.”

EOS is the fourth largest cryptocurrency on the market with a value of over £3bn.

What’s Hot on Infosecurity Magazine?