How the failure of one Block Producer Allowed the Illegal Transfer of $7.26 million Worth of Frozen EOS

Here’s a thing or two about EOS. EOS raised $4 billion in a year long ICO before migrating to their new scalable blockchain in 2018.

Like Tron, EOS prioritizes speed and scalability. To that end, they adopted a new variant of the proof of stake consensus algorithm, the dPoS—the delegated proof of stake system where validators are voted for by token holders—who must stake their EOS for three days before voting.

Within the EOS.Io, there are 21 block producers that through an approval voting are constantly voted in and out depending on the total number of votes they receive from token holders. Voting is done every minute and the top-21 list frequently change.

EOS and Block Producers

Regardless of stiff competition, it’s a privilege to be a block producer because not only do these nodes validate transactions but they are part and parcel of the rule enforcers, the bulwarks fortifying the network against attacks and maintaining “peace”.

Add that to the approximately 10,000 EOS—a quarter of the one percent of the total EOS supplied and distributed to all these BPs– they receive on a day and it’s easy to explain why there is a rush from exchanges—some of which have been accused of playing dirty and corruption, to crypto funds as MultiCoin for example and even individuals.

The draw is global and that ensure complete decentralization. All the same, some maintain that there is an element of centralization because of these 21 block producers. Nonetheless, it appears that a choice was made and Block One—including Dan Larimer, settled for this consensus algorithm and 21-block producer architecture.

How 2.09 Million EOS were Transferred

Now, it is emerging that a block producer, games.eos, did not manually update the EOSIO’s blockchain list of blacklisted addresses which is a normal procedure done to prevent transfer of stolen EOS. The result, well, the person or group behind one of the many frozen accounts got a window, transferring 2.09 million EOS translating to roughly $7.26 million dollar.

And no one can be blamed for this. Within the EOSIO network, addresses are frozen manually and was a band-aid solution imposed by the now infamous EOS Community Arbitration Forum—defined by the EOS constitution and tasked with dispute resolutions–broke down.

The problem is the solution is not scalable, remains manual and the failure of one of the 21 block producers let loose the nefarious account to release all the frozen funds. For games.eos, the Murphy’s law applied and everything that wasn’t expected to happen went through and 2.09 million EOS were transferred in a swipe, distributed in seconds before other block producers plugged the leak.