[zaroth]

Seriously. That was really really hard to read.

So basically $600mm in a hot wallet and no one even watching it. Just wow.

They didn’t even hack the smart contract, they just compromised 4 systems holding the private keys, and there was an RPC signing function giving free access to the 5th. Good god.

[mattbrewsbytes]

Sounds like if they had a checking account with their bank credentials stored in ENV variables and someone got access to that server it would be the same outcome.

The details of it being on a crypto-currency are interesting but when password/passphrase/private key security is poor it doesn't really matter the medium holding the money.

[oefrha]

No, $625M transfer out of a single bank account would raise tons of eyebrows. No way it’s authorized by some env vars.

[no-dr-onboard]

Maybe, but 30d ago it would have been "No way someone would store $625M USD in a game dev bank account".

[mattbrewsbytes]

If the hackers are sophisticated, I would think they would start wiring in much smaller amounts and thru accounts so tracing is harder. Much like what they are going to have to do with the funds in that wallet.

If they setup some plausible 3rd party company the game studio could use and started transfers of $10k a pop it might be some time before anyone catches it.

[manquer]

That is slow anything over 10,000 in bank transfers will reviewed, and there will be a dedicated account manager for a 600m account.

They are going to review and flag it. You might loose few hundred thousands but not all 625m.

[openasocket]

Aren't there methods of rolling back transactions in the traditional banking system though? And additional validations on larger volume transactions?

[mplewis]

That's right. None of these protections exist in their sidechain.

[mrits]

It would be much different outcome that would probably lead to recovering the money.

[gamblor956]

Transferring $650 million out of a corporate bank account would usually require in-person approval by a C-level officer, or at the very least, prior notice to the bank of the transaction.

[mtoner23]

Yeah, banks dont let you move this money without multiple levels of identity verification by both parties.

[arthurcolle]

Not always true: https://www.vice.com/en/article/ne8p9b/offshore-bank-targete...

[SilasX]

Yes, it is truly mystifying how they operate in some of these big projects.

Recently, we had Optimistic Ethereum (by my count, ~$250 million locked up in that network) adamantly insisting that they did everything they could to warn users that transaction history would get deleted off of Etherscan.io -- trivially avoidably, no less! -- even though none of their communication channels mention it.[1]

And that they had to make a "tradeoff" in how much effort to spend on warning users, even though their volunteers are choked every day, on Discord, with users wondering where their transaction history is.

Which, of course, pales in comparison to how a hacker found a flaw that let him print infinite ETH within their network (see the main story for that thread), and the project only lives on because he was a white hat who accepted a bounty instead.

[1] https://news.ycombinator.com/item?id=30293526

[henriquecm8]

> they just compromised 4 systems holding the private keys, and there was an RPC signing function giving free access to the 5th.

This seems like the plot of a 90's hacker movie.