| So, if someone could explain this to me, I don't understand all the particulars. From the article - The attacker used hacked private keys in order to forge fake withdrawals. The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator. Can someone explain what happened here? How were they storing the keys in such a way that they were accessible from the internet? Namely, is this a problem with how crypto is designed itself, did they mishandle their architecture (so presumably if they organized their containers in another way then a hacker wouldn't have access), or did they just put the keys in a file that said KEYS.pem with open access? Does this have implications for blockchain as a whole or was this company just dumb? Ideally, you shouldn't hold 650 million in one wallet, but if the promise of crypto is supposed to be secure then it shouldn't matter. PS: If anyone would loan me 650 million dollars I promise not to lose it and would take only a small percentage of the total to pay rent and continue to exist. |
They were just dumb. The Ronin bridge where this money was stolen from wasn't decentralized at all and wouldn't even be recognized as a blockchain by even moderately experienced user. It was just a 5 of 9 multi-sig where the security was very poor and susceptible to social engineering. This was akin to a company keeping 100 gold bars in the closet by the bathroom and doesn't say anything about technology or things like DeFi or smart contracts.