Introduction: The autonomous arbitration community ECAF issued an freezing order, but one of the BPs forgot to add the address to the blacklist. Discovering the bug, the fraud managed to take full advantage of the exact 6 seconds during which this node was responsible for block production.

This April, shouer bought more than 1,000 EOS at a price of about 110 yuan(15.5 USD). As a retail investor, he was very optimistic about the future of EOS. However, what happened during the past six months failed to meet his expectation. After going through the ups and downs, he is now finally depressed by an avoidable man-made error, which happened in the blockchain autonomous arbitration community.

In June, EOS mainnet was just launched and at that time the majority of wallets did not fully support EOS token. This being the case, Shouer encountered problems with transferring to exchange. After asking for help in the Telegram group, a customer service contacted him and said that he could manually import EOS to exchange.

However, Shouer failed to realize that this customer service was actually a fraud. After telling fraud his private key, all the 1280 EOS tokens in his wallet were stolen and used by the fraud to purchase EOS RAM.

With a little faith in the EOS community, shouer turned to the EOS autonomous community ECAF for help. He submitted an application for arbitration (Application number: 198). 3 months later, on October 5, ECAF issued an emergency freezing Order to freeze the fraud’s wallet address. In this way, shouer’s assets were temporarily protected. Therefore, shouer was very grateful for the help of the community and the nodes. He considered himself lucky being in such a united and friendly family.

However, disaster was yet to come. On November 12th, the frozen EOS address sold the EOS RAM for 552 EOS, which was sent to Binance exchange and sold later. The fraud managed to withdraw the money at last. shouer was so confused why a frozen account that has been added to the blacklist by all BPs was able to operate.

An arbitrator of ECAF explained that some BPs did not update the blacklist, which means that they failed to execute the freezing order of ECAF. As a result, during the period that these BPs were responsible for producing blocks, the fraud was able to transfer without difficulty.

After checking the transaction records of the fraud, Shouer found that the BP to blame is starteosiobp of the Start EOS team.

Shouer questioned Jerry, the head of the Start EOS team, the reason why the account that should have been frozen by ECAF was still able to transfer. Jerry did not respond until 2 weeks later. He claimed that they were not guilty and that Starteos did implement the ECAF freeze order. “It is the jet lag to blame. We executed the freezing order as soon as we saw it.”

However, the fraud’s operation happened more than one month after the issuance of the freezing order. Shouer found the so-called time-lagging explanation unacceptable.

He asked whether or not the arbitration orders of ECAF before were executed well by Start EOS. Jerry said that basically they were all executed except for this one and he refused to answer more questions raised by shouer. He said, “Ask ECAF instead of us. We do nothing more than following the rules.”

Feeling helpless and annoyed, shouer had to contact ECAF again while there was still no response after half a month. During the communication with shouer, we have repeatedly confirmed relevant dialogue screenshots and transaction records. Therefore, we are sure that the above story did occur. Facing the useless BPs and the extremely inefficient autonomous arbitration community, What should EOS users and other blockchain networks that use POS mechanisms do? Will the same thing happen again to us? What should we do if it does happen? Who can we turn to if we encounter such a BP?

who’s fault?

EOS ECAF (EOSIO Core Arbitrator Forum) is a community filled with trained professionals to solve the dispute, it charges fraud, thief, defame and any actions violating the community rules. It will issue emergency Orders to ask Block Producers(BP) to add some accounts to the blacklist to prevent those account to transact the assets, for further investigation. shouer’s case can be applied in ECAF.

Later Jun, shouer applied for arbitration. The arbitrator tried to contact the fraud guy through eos memo.

Oct 5, shouer’s Order is issued, the arbitrator wrote in the Order:

The refusal to process transactions of any kind for the affected EOS account names and/or public keys, pending further review of the case by an Arbitrator。

In this emergency Order, the guy (imarichman55 ) who frauded shouer’s account (ha4tomztgage)is lised:

In the Order, the arbitrator suggests BPs refuse any transaction from fraud account until getting further instruction. Also noticed in the order:

“Please note that this is only an emergency order for the protection of assets. The purpose of this order is to secure possibly at-risk assets pending further investigation of the case. An emergency order is not​​ a ruling or decision upon the matter of the case itself. It should not be understood as an implication of wrongdoing by any party.”

And the order is on-chain already: https://eosflare.io/tx/e13568a2c0fec0bfa1b2d335252390eacfe87157b302cc4ec8d327577729f4c6

To prevent fake Orders, EOS Newyork give us an instruction how to verify on-chain data with ECAF order and then add to blacklist.https://medium.com/eos-new-york/ecaf-order-ecaf00000264-e90d87cfadb8

Blockbeats requested to Peckshield for more info, the blockchain security team, the founder Jiang Xuxian told us: currently all BPs are adding the account to their blacklist by themselves. This could lead to different blacklists among different BPs.

EOS Laomao published a smart contact to solve this problem to auto-configure the blacklist, and they are working with ECAF. This will solve the blacklist out-sync problem and the public the blacklist to the whole community.

BUt, Start EOS didn’t finish its work to add the blacklist. The fraud tried a lot to find if any BPs are not listing him and then he found starteosiobp didn’t finish the work.

In the transaction history, the fraud sold the ram and get EOS token in 18:01:30 because starteosiobo didn’t add the blacklist (block: 26531157, producer: starteosiobp)

And 4 rounds later, 18:09:54, starteosiobp was producing blocks, the fraud successfully sends the EOS to Binance exchange. (block:26532158 ,producer:starteosiobp)

The fraud used the BP’s oversight to pass away. This has nothing to do with the reason of “time-laging”, it is an excuse from a lazy BP.

Are those EOS BPs working?

Except for producing Blocks, BPs hold a very high position in the EOSIO ecosystem. Various types of decisions are to be voted by BPs. They are deciding the consensus of eosio. It’s really hard to imagine there are a few BPs who seldom work for the community, only to gather their eos bonus daily. Also, it’s shocking to know some teams that are working for the community isn’t getting any returns back.

We had already seen the Blacklist Escape event in Jun this year.

At that time the processing of emergency order from ECAF is not perfect and the communication between BPs and ECAF isn’t smooth, so one BP named EOS Store had run the server with an incomplete blacklist. When one blacklisted account tried to send transaction why EOS Store is producing blocks, it passed away which led to a 35K-valued EOS loss.

For this oversight, EOS Store proposed a remedy solution to cover the account holder’s loss once BPs reached a consensus. Yes, BP will pay for the loss, because it’s BP’s problem.

Later, ECAF used on-chain data to send Orders, so BPs can verify the data before add to their own blacklist.

In Blockbeats’ last article, we mentioned the top one BP is earning more than 826 EOS every day, and the second BP is earning 821 eos.

The 21st BP earns 711 eos every day, it’s about 2,266 USD. Let’s do some math: earning — server cost = at least 1,600 USD every day!

We sympathize for shouer’s loss, however, what infuriated us is BP’s attitude to their problem. From screenshot provided by shouer, Start eos team feels no pity for the victim and the head of the BP believed he has done his work and pass the buck to “time-lag” problem. We all know the reason: starteosiobp forgot to add the blacklist, and when the fraud user tried to send transaction, it passed.

Facing more queries from shouer, Jerry, the head of Start Eos team responded: “go to ECAF.”

Will ECAF work?

The attitude of “this is none of my business” makes shouer and me annoying. But shouer can do nothing but to keep on searching for help from ECAF.

The first emergency Order from ECAF cost almost three months time. If shouer apply for this issue, when will the order come? Nobody knows.

In erosion community, ECAF has a low efficiency and authority. The arbitrator of shouer’s case is a father who has his own business. He had to care two boy kids and piles of ECAF cases. Everything needs to wait, including shouer’s case.

What shouer can do is wait, inpatient and in anger.

Compared with shouer, another victim faced a more embarrassing situation. TZ, another victim was innocently related to an ECAF case (ECAF00000414). TZ bought 700 more EOS in OpenLedger and then withdraw to his address, but ECAF mistakenly judged 500 of the withdrawn eos was related to a thief case, and TZ’s account was added to the blacklist for more than 3 months.

Later Oct, TZ applied for de-blacklist his account through ECAF. No one replied to him. Nov 13, TZ send out the file to EOS Alliance’s Wechat group for public help, then ECAF arbitrator came out to help him and said this case will be solved in Nov and his account will be removed from the blacklist.

Nov 15, after ECAF checked all the evidence, it was promised to unfreeze his account (ECAF00000686). However the response came later is:” For the progress problem, the time of solving this problem will no be promised again.”

But in this case, OpenLedger’s account was removed from the blacklist very soon(# 2018–09–24-AO-010). TZ’s mistakenly blacklisted account hasn’t be removed till now.

Tz felt helpless to be involved in the thief case. He told Blockbeats, the lent the money to buy eos, when the family needed the money, the can’s get a single penny out.

There are currently more than 1000 cases piling in ECAF to be judged.

ECAF is helping the victims, but…

What we should do to those lazy BPs?

First, Start EOS team violated the EOSIO community rules, it’s now following the orders from ECAF to add blacklist and lead to user’s loss.

Second, ‘thanks to ‘ Start EOS’s oversight, all token evidence has been transferred to exchanges which arbitrators need for further investigation. Even though the final ruling is to turn EOS token back to shouer, there is no EOS token in the fraud account. It looks like ECAF is useless if BP doesn’t follow its orders.

In our opinion, great teams are working for the community but didn’t get a reasonable return, some BPs are burning money to run the nodes. Some teams are using the capital to manipulate the votes to become top21 BP and then earn a bonus but didn’t perform the work of a BP. Think this: how many BPs are really contributing for EOSIO community?

We should fight against the lazy BPs. If you were shouer and faced the same problem, what will you do? And how do you feel to face the BPs like Start EOS? Is EOSIO a solution to the free market, or just a capital game?

Please speak out your voice if you don’t want to see this thing again.

EOSIO is great, but don’t get it worse.