Comment by __turbobrew__
19 hours ago
Yea, how is it that multiple people signed a transaction for over a billion dollars of assets without due diligence?
If you did this for non crypto there would be lawyers, bankers, etc involved in the transaction.
Root certificate authorities have already solved this problem with signing rituals which take place in person in an air gapped vault on specialized hardware and multiple parties as witness.
They didn't sign a transaction for 1 billion dollars. They all signed what they thought was a routine transfer, but in reality what they signed gave the hacker full control of the smart contract (the Gnosis Safe) in which the 1.4B $ of tokens were stored.
The hackers, having gained control of the smart contract, proceeded to empty it of funds.
TFA seems to suggest that the thieves modified the signers’ applications to display a routine transaction but actually sign the heist transaction.
Given that the UI they saw was compromised, they likely believed they were signing some routine 1M rebalancing transaction.
Odd that you wouldn't use separate keys for that given the wildly different levels of risk involved.
Separate keys for what? They believed they were signing a routine transaction. That’s the whole idea of the hack.
Splitting funds over 100 wallets would’ve helped. A 100x lower amount would be lost.
And/Or having separate hardened devices used only for signing.
2 replies →