Rich hacker embarrassed EOS court

ECAF, which acts as a court, is in an awkward position amid community doubts and the non-cooperation of some BPs. On one hand, there are grand goals, and on the other hand, there is an embarrassing situation.

In response to the incident on February 22 where a blacklisted account on EOS transferred 2 million EOS (currently worth nearly 7 million US dollars), EOS42 published an article on Medium on February 23 proposing a solution to optimize the blacklist mechanism. EOS42 is a BP (block producer) on the EOS mainnet.

According to EOS42, EOS42 has written and uploaded a multi-signature (MSIG) proposal to revoke the keys of blacklisted accounts.

It is still unknown whether the proposal will be passed, but the dissatisfaction of the EOS community has already emerged. It is undeniable that the emergence of EOS plays an important role in the history of blockchain development. Whether it is the super node election, the million TPS or the establishment of ECAF (EOS Core Arbitration Court), they have strengthened the industry's beliefs at a certain time. However, after the noise, these mechanisms of EOS have not achieved the expected results. In more cases, the mechanisms launched by EOS are more like some perfect ideas that are difficult to implement.

ECAF, which acts as a court, is in an awkward position amid community doubts and the non-cooperation of some BPs. On one hand, there are grand goals, and on the other hand, there is an embarrassing situation.

EOS hacker attempts to transfer funds to cash out, ECAF fails to fulfill responsibility

On February 22, the PeckShield situational awareness platform detected that the blacklisted account gm3dcnqgenes transferred assets to the exchange through associated accounts many times. According to Caijing.com Chain Finance, the above account was created on June 9, 2018, and was frozen by the EOS Autonomous Community ECAF arbitration on September 25 due to the use of phishing software that led to the theft of private keys.

At 14:17 on February 22, the gm3dcnqgenes account, which had been frozen by arbitration, showed abnormal trading activity again. In three transactions, a total of 2,092,395.53 EOS were transferred to the address newdexmobapp. The hacker sent promotional information of similar exchange wallets through memo and used "newdexmobapp" to impersonate the Newdex exchange account to deceive the eyes, and then transferred funds to multiple different small accounts to disperse the funds in order to escape tracking.

Immediately afterwards, newdexmobapp transferred 50,000 EOS to another associated account guagddoefdqu, and transferred hundreds to thousands of EOS at a time to the Huobi exchange account (huobideposit) in batches. After transferring 50,000 EOS to the Huobi exchange account, the remaining 2.04 million EOS were dispersedly transferred to multiple accounts including ftsqfgjoscma, hpbcc4k42nxy, 3qyty1khhkhv, xzr2fbvxwtgt, myqdqdj4qbge, shprzailrazt, qkwrmqowelyu, lmfsopxpr324, lhjuy3gdkpq4, lcxunh51a1gt, geydddsfkk5e, pnsdiia1pcuy, and kwmvzswquqpb.

At 6:51 pm on February 22, the associated account of gm3dcnqgenes again transferred 158,000 EOS to the Bitfinex exchange account bitfinexdep1 in two transactions.

The three abnormal transactions today were all issued by the super node games.eos, which just became a BP node at 20:46 on February 21 and started to produce blocks. According to PeckShield analysis, the node was newly promoted to BP the day before yesterday (February 21) by two accounts, se4*****rkcg and izc*****3sqe, with 6,738,536 votes. There is suspicion of being manipulated. It is not ruled out that the node was actively bought by hackers to go online in order to transfer frozen funds.

EOS42 stated in the proposed solution that the reason why hackers can continue to transfer EOS after their accounts are locked is because some nodes on EOS do not update the blacklist accounts in time. According to Caijing.com Chain Finance, the EOSIO mechanism requires the top 21 block producers to update the blacklist. As long as one block producer fails to update the blacklist in time, the stolen account will face the risk of having its funds emptied.

In November 2018, media reported that an EOS investor was defrauded of more than 1,280 EOS due to a private key leak, and then turned to the EOS core arbitration forum ECAF for help. It was not until three months later that ECAF dealt with the complaint, but because BP starteosiobp did not add the account to the blacklist, ECAF's freeze order did not take effect, and the hacker eventually successfully transferred the remaining EOS. In this incident, both ECAF and BP have this unshirkable responsibility.

After BP starteosiobp went wrong in November 2018, games.eos came from behind, and the amount involved this time was thousands of times the loss caused by starteosiobp's failure to update the blacklist in time. According to BlockRhythm, games.eos is a child node of starteosiobp.

Once the incident broke out, ECAF was once again questioned for negligence. Earlier media reports said that after the user filed an arbitration request with ECAF, ECAF did not make a ruling on the request until three months later, when the user's request was approved.

On the evening of February 26, PeckShield detected that the blacklisted account gm3dcnqgenes, which had recently transferred out EOS, was active again. Multiple EOS accounts frequently sent memo wallet promotion information to a large number of EOS users and guided users to download it. So far, it has been found that several accounts such as mobile.e, mobil.e, mobileosapps, and newdexmobapp have sent tens of thousands of transaction information to 11,471 EOS users, and implanted wallet download links in memo, which ultimately led to a copycat APP called mEOS Folio developed by Vitaly Buterin (impersonating V God). The APP can be directly searched in the Apple App Store.

The behavior of this blacklist account also proves to a certain extent that ECAF’s current blacklist mechanism cannot effectively solve the problem of hacker attacks.

According to PeckShield analysis, since ECAF's blacklist tracking and freezing has a certain range, hackers want to escape tracking by creating a large number of sub-accounts to sell stolen goods (money laundering). The purpose of hackers recently transferring 2.09 million EOS to multiple accounts is also to escape tracking.

According to Caijing.com Chain Finance, from July to December 2018 alone, 49 security incidents occurred in DApps on the EOS chain, affecting 37 DApps and causing the project parties to lose a total of nearly 750,000 EOS. Based on the currency price at the time of the attack, the total loss was approximately US$3.19 million.

According to EOS42’s latest solution, EOS42 will use “eoslo.wrap” to revoke the keys of blacklisted accounts to prevent fund losses. In addition, EOS42 will also restore the integrity of the DPOS consensus on 15/21.

However, an EOS investor, Chen Ze, told Caijing.com Chain Finance: “I don’t like this approach. The private key is the only thing that can handle funds. How is this different from a bank?”

Another person who has been paying close attention to EOS governance for a long time, Guo Bei, believes that the proposal put forward by EOS42 will help improve the performance of the entire EOS network to a certain extent and also provide nodes with a scalable solution.

But there is no doubt that the EOS42 proposal further damages the decentralization of the EOS community.

ECAF in the dust

In June 2018, Thomas Cox, then Vice President of Product at Block.One, released the latest version of the EOS.IO Constitution Draft in the EOS Go community. The establishment of ECAF is mainly based on the provisions of the Constitution Draft. According to Caijing.com.cn, the clauses in the Constitution Draft that are directly related to ECAF are as follows:

1. Members grant each other the right of contract and the right of private property, so that no property may be transferred without the consent of the owner, without the order of a legal arbitrator, or a community referendum;

2. Members agree to resolve disputes through the blockchain arbitration process, or any other process that the transaction parties may mutually agree to.

Each Member agrees that penalties for violations may include, but are not limited to: fines, account freezing and reinstatement;

3. All disputes arising out of or in connection with this Constitution shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed under the said Rules;

According to public information obtained by Caijing.com.cn, ECAF was originally established to "serve the community by enforcing rules and providing customary support to arbitrators and case execution". When ECAF was first launched, many supporters in the EOS community believed that the establishment of ECAF would become a milestone in the history of EOS governance. When ECAF first appeared, it was believed that it would become a completely fair organization to protect the security of EOS. However, after ECAF was implemented, the EOS community began to find that the beautiful vision of ECAF might just be their idea.

Chen Ze believes that the establishment of ECAF will benefit some people. Although he does not like ECAF because it goes against the original concept of EOS, he still thinks it is a beneficial attempt.

However, this attempt almost fell into dust in less than a year, and questions such as "centralization", "dictatorship", "failure to fulfill responsibility" and "violation of regulations" followed one after another.

First of all, there is the question of the qualifications of ECAF members. Some netizens in the EOS community have questioned: Who gave these arbitrators the rights? According to Caijing.com Chain Finance, BPs are voted in by investors holding EOS, but ECAF arbitrators have not gone through this process.

In addition, although the hacker transfer of EOS did not continue to ferment, the conflict between ECAF and BP was fully revealed behind it.

Some BPs believe that the establishment of ECAF has affected the degree of decentralization of EOS, although to a large extent, EOS has been considered a centralized network. Since the super node election, the BP list has hardly changed, and there is even the problem of the consortium controlling the election.

In November 2018, Maple Leaf Capital posted a screenshot on Twitter showing that Huobi Exchange obtained votes through vote buying in order to gain the right to manipulate and control the verification process of the EOS proof-of-stake system.

At the beginning of its establishment, ECAF was responsible for protecting account security, but after the security incident occurred, ECAF did not handle it in time, so the EOS community had to start rethinking the significance of ECAF's existence. As a BP, starteosiobp did not strictly implement ECAF's orders, and the EOS Constitution stipulates that "each member agrees to punish illegal acts, including but not limited to fines, account losses and other compensation." Although starteosiobp did not refuse to execute ECAF's orders, its actual passivity made it difficult for ECAF to advance its work.

In order to protect the security of accounts, EOS42 had to upload a multi-signature (MSIG) proposal. According to industry insiders, this move has made ECAF's situation more difficult to a certain extent. ECAF itself has always been under suspicion of centralization, and the multi-signature (MSIG) proposal directly requires the abolition of account keys, which undoubtedly provides evidence for suspicion of centralization.

Since the first arbitration after its establishment, ECAF has been caught in a dilemma. On one side are beautiful expectations, and on the other side are the dissatisfaction of the community, which finally erupted on January 11, 2019.

On January 11, 2019, a voting campaign on "abolishing ECAF" was launched on the EOS Authority website. So far, more than 90% of voters believe that "ECAF should be abolished." According to the ESO Constitution, "This Constitution and its annexes shall not be amended unless more than 15% of token holders vote and the voting rate is not less than 10% for more than 30 consecutive days within every 120 days." According to industry insiders, based on the strict provisions of the EOS Constitution, it is unlikely that ECAF will be abolished.

According to Blockchain analysis, even if the vote is successful, it does not mean that EOS will become a decentralized network. Some people believe that after the abolition of ECAF, without the checks and balances of ECAF, the power of EOS will be concentrated in the hands of BP, and EOS will only become an increasingly centralized network.

So to a certain extent, the dilemma ECAF is facing is more like the dilemma EOS is facing in its development. In early 2018, Vitalik Buterin made a public statement that EOS is contrary to decentralization.

However, Chen Ze believes that EOS is still a decentralized project overall. In the past year or so, EOS has been constantly making new attempts and intentional explorations. But at the same time, Chen Ze also said that he does not think EOS will be the ultimate winner.

Source: Caijing.com Chain Finance

Author: Wu Yingjun