Let’s Look into the Recent EOS “Hacking Scandal”: The Block Producer and Blacklisting Fiasco
As many of our readers probably already know by now, the past weekend saw the official EOS telegram group report on an illegal transfer of 2.09 million native tokens via a blacklisted account. As was to be expected, as soon as news of this event broke, a whole host of digital media outlets started to say that the EOS project had fallen victim to the activities of a nefarious third party agent. However, that does not paint an exact picture of what really happened, so without any further ado, let's take a closer look at the matter
First and foremost, we need to understand how the EOS ecosystem actually works. Simply put, the project makes use of a “decentralized operating system” that supports a variety of unique dapps (such as Karma).
However, what makes EOS different from its contemporaries is that unlike other blockchain systems that make use of the PoW (proof-of-work) protocol, it operates via a delegated proof-of-stake system. As a result of this, the EOS project only requires a total of 21 primary nodes (or block producers) to help in the validation of native transactions.
What Exactly Is The Role Of EOS’ Top 21 Block Producers?
On the subject, Kevin Rose— co-Founder and Head Block Producer at EOS New York— was quoted as saying:
“The job security of a block producer is 60 seconds long. EOS New York has been a top 21 block producer since it was founded, but that’s not by accident. Its members work constantly, and they’re based all over the world to ensure 24/7 operation. When U.S.-based members of the block producer are asleep, for example, Chinese members can continue working. Rose personally says he works “from the moment I wake up to the moment I go to sleep nearly every day.”
So Then, How Do Block Producers Get Paid?
From a technical standpoint, we can see that Block rewards within the EOS network are always “one percent of the total EOS token supply” — with payments being made across nodes that are able to get an adequate number of votes regardless of whether they are in the top-21 or not.
Additionally, it is also worth remembering:
- Out of the aforementioned one-percent token reward supply, 3/4ths of the amount is reserved as “voter pay,”
- The remaining 1/4th is kept towards making “block payments”.
So Who Was Responsible For The Disappearance Of The 2.09 Million EOS?
To answer this question, we need to start off by telling our readers that the EOS Community Arbitration Forum (ECAF) is not an elected body, instead, it was created via a special provision within the EOS Constitution when the project was first launched.
The ECAF was devised to help iron out issues within the EOS community — primarily those dealing with issues such as token theft, an operation of blacklisted accounts etc.
In this regard, it should be remembered that in order for a blacklist to be upheld, the top 21 block producers “must have that blacklist configured into their nodes correctly.”
However, in the recent past, the ECAF was found to be submitting more and more blacklist orders to block producers — thus making them frustrated to a point where it felt like the EOS project was no longer abiding by its core foundational principles of “permissionless”.
So in a certain sense, we can see that it was one of the top-21 block producers who were unable to correctly configure the blacklist — as a result of which the network became susceptible to the activities of third-party agents and the 2.09 million EOS were transferred illegally from within the currency’s ecosystem.
More On The Matter
- According to Rose, one of the new top 21 block producers, “games.eos”, failed to set up the blacklist correctly. As a result of this, a frozen sum of 2.09 million EOS was xfered from a blacklisted account.
- Following the transfer, the tokens in question were then quickly spread all over the web before the EOS security team could do anything about it.
In closing out this article, it is worth asking oneself the question, ‘What’s preventing hackers from carrying out such activities again in the future?’
According to EOS Block Producer Luke Stokes, the project’s core dev team (as well as the community at large) is working on a solution that incorporates a host of unique security mechanisms such as multi-sig and time-delayed permissions, so as to help prevent such things from ever happening again.