2.09 million EOS ($7.7 million) has been stolen on Feb 22 by an anonymous hacker, after an EOS block producer (BP) failed to update the blacklist for EOS mainnet accounts.  

BP EOS42 made the public alert on Feb 23 over Telegram, saying that games.eos – a new active EOS BP – had been the one who failed to update the blacklist, which allowed the thief to transfer millions of EOS out of frozen accounts.

A feature of the EOS blockchain is that all compromised accounts are tracked in a blacklist created by the EOS.IO blockchain software, and the list is updated by the BPs. The number of BPs is restricted to 21, and all of them must update the blacklist manually for it to function properly and effectively.

In this incident, the movement of EOS was picked up by the security team of crypto exchange platform Huobi when it noticed that accounts recognized by the EOS Core Arbitration Forum as being blacklisted suddenly had asset inflows into Huobi accounts.

Huobi has since frozen the said accounts as of Feb 22 for further investigation.

As possible prevention against such incidents from recurring, EOS42 proposes that the keys of blacklisted accounts be revoked as opposed to allowing a single BP to hold veto power on the EOS mainnet. To EOS42, this will be more efficient than risking a “broken blacklist”, while at the same time also allowing an account to be recovered and returned to its owner.

EOS is currently the fourth largest crypto in the market going by market capitalization. It first launched its mainnet in June last year. Since then, it has also been officially ranked by China as being the top public blockchain for every consecutive month running.