← Back to context

Comment by acdha

14 hours ago

Multi-sig means multiple signatures, by multiple private keys. Nothing about that means that they have to be by multiple people - this isn’t secure like a bank - or that they aren’t vulnerable to the same attack.

3 comments

acdha

Reply
celticninja  14 hours ago

ok but in practice having multiple signatures but one signer is pointless, so multi-sig pretty much does mean multiple signers(people)

  • acdha  13 hours ago

    Sure, but I mention it because it’s not a 1:1 mapping and if they aren’t rigorously auditing their behaviour it wouldn’t exactly be unheard of for people to know coworkers passwords or, more likely, for most of them to just trust someone saying it’s legit. If the tweet about it being a smart contract update is accurate, it’d be especially plausible that people shirked their responsibility and just approved it without review. The multiple part really doesn’t help enough if people aren’t independently verifying requests.

    The main takeaway I have is that their “cold” wallet wasn’t very cold and they’d messed up a lot of their diligence, so I’d also read any statements from them as the products of damage control similar to how companies talk about “nation-state threat actors” trying to make it sound like you have to be the Mossad to exploit a Citrix patch which wasn’t installed for most of a year.

    • celticninja  4 hours ago

      I think the article is clear that the attribution to NK was done by independent 3rd party blockchain researchers and not from ByBit.

      The article is also pretty clear about the method that was used to compromise ByBit and how it has evolved from previous hacks on cryptocurrency exchanges.

      Sometimes it really is a nation state actor, and whilst it may be a stretch to blame a threat actor of this level if your user data was stolen, this is 1.5bn in fungible cryptocurrency, just the sort of thing a pariah state requires and can launder with minimal risk of arrest or any judicial action really.