Multi-sig means multiple signatures, by multiple private keys. Nothing about that means that they have to be by multiple people - this isn’t secure like a bank - or that they aren’t vulnerable to the same attack.
Sure, but I mention it because it’s not a 1:1 mapping and if they aren’t rigorously auditing their behaviour it wouldn’t exactly be unheard of for people to know coworkers passwords or, more likely, for most of them to just trust someone saying it’s legit. If the tweet about it being a smart contract update is accurate, it’d be especially plausible that people shirked their responsibility and just approved it without review. The multiple part really doesn’t help enough if people aren’t independently verifying requests.
The main takeaway I have is that their “cold” wallet wasn’t very cold and they’d messed up a lot of their diligence, so I’d also read any statements from them as the products of damage control similar to how companies talk about “nation-state threat actors” trying to make it sound like you have to be the Mossad to exploit a Citrix patch which wasn’t installed for most of a year.
Multi-sig means multiple signatures, by multiple private keys. Nothing about that means that they have to be by multiple people - this isn’t secure like a bank - or that they aren’t vulnerable to the same attack.
ok but in practice having multiple signatures but one signer is pointless, so multi-sig pretty much does mean multiple signers(people)
Sure, but I mention it because it’s not a 1:1 mapping and if they aren’t rigorously auditing their behaviour it wouldn’t exactly be unheard of for people to know coworkers passwords or, more likely, for most of them to just trust someone saying it’s legit. If the tweet about it being a smart contract update is accurate, it’d be especially plausible that people shirked their responsibility and just approved it without review. The multiple part really doesn’t help enough if people aren’t independently verifying requests.
The main takeaway I have is that their “cold” wallet wasn’t very cold and they’d messed up a lot of their diligence, so I’d also read any statements from them as the products of damage control similar to how companies talk about “nation-state threat actors” trying to make it sound like you have to be the Mossad to exploit a Citrix patch which wasn’t installed for most of a year.
1 reply →