← Back to context

Comment by chizhik-pyzhik

20 hours ago

In a multisig interaction there are 3 ways to get hacked:

- The multisig smart contract is owned

- The computer you're signing on is owned

- The hardware wallet (ledger, trezor) you're using is owned

The multisig contract in question here (Gnosis Safe) has shown to be incredibly robust, and hardware wallets are very difficult to attack, so the current weak point is the computer.

Cryptocurrency companies need to start solving this by moving to a more locked-down, dedicated machine for signing, as well as actually verifying what is shown on the tiny hardware wallet screen instead of blindly clicking "yes".

8 comments

chizhik-pyzhik

Reply
paulpauper  18 hours ago

I think this shows that the best option or protection is to just send many small transactions, never a big one. Define some max tolerance for loss and then send that. This is the advantage of XRP. instant and very cheap TX. You can just automate many small transactions. If something goes wrong, then you can overhaul everything before losing all your $.

wslh  20 hours ago

The missing part is that you cannot apply the same procedure to 1 ETH as you would to 1k ETH, regardless of the technology being used.

m3kw9  20 hours ago

They should only use a computer that is air gapped to go online only when signing something. This is an op sec failure to not have this procedure

  • alwa  18 hours ago

    Why should it go online at all? $1.5 billion buys a lot of plane tickets to the same physical place, and how frequently do they need to be accessing the whole lump, anyway?

    For that matter, I know signatures are long and human-unfriendly, but isn’t it on the order of a couple hundred bytes? Surely $1.5 billion buys transcribing the putative signature request into an isolated machine in a known state, validating/interpreting/displaying the request’s meaning on that offline machine, performing your signing there offline, copying down the result, and carrying the attestation to your secret conclave lair to combine with the others’ or whatever?

    • greg7mdp  12 hours ago

      What you should do is sign the transaction on an offline computer (which is booted from a linux OS on a flash drive with only the essential software), simulate the transaction to verify it does what you expect, and then save the signed transaction to a flash drive. Then you can submit your transaction on a connected computer with confidence that you didn't sign your tokens away to someone else.

  • tremarley  20 hours ago

    That’s precisely what happened in this attack.

    They were attacked when they went online

    • m3kw9  20 hours ago

      No, the computers were pre infected. If they used airgapped systems only to sign there would be almost no vector to from other than some major zero click zero day stuff, in that case everyone is screwed