So basically $600mm in a hot wallet and no one even watching it. Just wow.
They didn’t even hack the smart contract, they just compromised 4 systems holding the private keys, and there was an RPC signing function giving free access to the 5th. Good god.
Sounds like if they had a checking account with their bank credentials stored in ENV variables and someone got access to that server it would be the same outcome.
The details of it being on a crypto-currency are interesting but when password/passphrase/private key security is poor it doesn't really matter the medium holding the money.
If the hackers are sophisticated, I would think they would start wiring in much smaller amounts and thru accounts so tracing is harder. Much like what they are going to have to do with the funds in that wallet.
If they setup some plausible 3rd party company the game studio could use and started transfers of $10k a pop it might be some time before anyone catches it.
Transferring $650 million out of a corporate bank account would usually require in-person approval by a C-level officer, or at the very least, prior notice to the bank of the transaction.
Yes, it is truly mystifying how they operate in some of these big projects.
Recently, we had Optimistic Ethereum (by my count, ~$250 million locked up in that network) adamantly insisting that they did everything they could to warn users that transaction history would get deleted off of Etherscan.io -- trivially avoidably, no less! -- even though none of their communication channels mention it.[1]
And that they had to make a "tradeoff" in how much effort to spend on warning users, even though their volunteers are choked every day, on Discord, with users wondering where their transaction history is.
Which, of course, pales in comparison to how a hacker found a flaw that let him print infinite ETH within their network (see the main story for that thread), and the project only lives on because he was a white hat who accepted a bounty instead.
Wait, no, it's totally believable because this is the same story that happens over and over again with blockchains. It turns out that all of those pain in the ass compliance laws on traditional finance are there for a reason, and when you ignore the past you end up repeating it.
Most hacks are discovered within minutes or hours, not having the systems in place to know within seconds if your wallet is being drained is unbelievably bad for someone custodying half a billion.
> Most hacks are discovered within minutes or hours
Really? The figures I’ve seen have typically put it in days to weeks unless you’re talking only about the most obvious things like DoS attacks or defacing someone’s homepage.
Sorry, I mean crypto hacks specifically. Most crypto traders/companies/firms have apps and monitoring tools set up to report any suspicious activity on their wallets or contracts. Unfortunately it's sometimes too late at that point, but sometimes not[1].
Ah, that makes more sense. I'd be curious how what the timing is like between the compromises which give people access to keys or supporting systems and when the attacker does the noisy part of moving funds around.
Well, yes and no. True, there are a lot of corners that banks would cut if not for regulation, I think we can all agree. But this one is so appalling and self-destructive that no bank would deliberately cut this kind of corner on purpose; it's just stupidity.
Or malicious...similar to the DAO hack from 2017 suspected of being an inside job (with evidence pointing to the insider who lawyered up to refute it with code-is-law argument), somebody was accountable for security and they deemed it not worth it to secure it.
Axie Infinity was already struggling, and this happens a day or two away from scheduled distribution of rewards & update release.
Cui bono? Who could've known they were carrying funds in a hot wallet other than the people directly involved with the project? Unless there was a way to discover this from the outside?
Somebody at Axie Infinity could have been asking whether they want to get paid 0.025% of that hot wallet yearly or have it all up front, today. After all it isn't cash sitting at a bank they have to rob.
It isn't like monitoring would have done anything. Once the transaction goes out it is gone. The core problem here is the massive private-key bounty being created by a ton of organizations that don't have world-class security teams.
True, but you would think they’d notice $650,000,000 missing before a user reported an issue withdrawing $5,000 (edit - 5k ETH). It’s honestly so impossible to believe that I’d wager the real story is they knew and were actively trying to recover the funds.
But the attacker used 2 transactions. The first one should have been flagged immediately. Plus the servers themselves were compromised. Four of them. The attacker was able to take control of 4 different servers without even being noticed. This is just one massive secops fail.
is there no point at which these companies become subject to securities or financial laws? How on earth can a random game studio just casually hold half a billion dollars worth of assets apparently without any idea what to do with it?
So basically $600mm in a hot wallet and no one even watching it. Just wow.
They didn’t even hack the smart contract, they just compromised 4 systems holding the private keys, and there was an RPC signing function giving free access to the 5th. Good god.