[big_youth]

> 1. They hack computers not code. Their normal plan is to steal keys by compromising users and computers. This is in contrast to the normal "hack" that works by finding and exploiting bugs in code.

I'm just a 'regular security guy' but in that link you posted they detail that after the initial phishing compromise "The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes." They don't detail the bugs that got them access to the nodes but this didn't give them control of the network so "the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator. ...Sky Mavis requested help from the Axie DAO to distribute free transactions ... Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked."

Sounds like a pretty classic hack to me. They got into the network, got access to some important servers (how? they should be totally segregated from the corporate network). Then found a depreciated endpoint that allowed them blindly sign transactions. This is bread and butter for any pentesting work, makes me wonder if any of these web3 orgs are hiring security firms to test their systems and not just smart-contracts.

[woah]

The problem was ultimately in the bridge’s design and implementation. Even though it was sold as a decentralized system it was a multisig with very few signatories. A properly designed decentralized bridge would require the compromise of many validators, each with a different infrastructure setup. This is why you never hear about Ethereum itself getting hacked.

Instead, the Axie bridge was a multisig, and as of that wasn’t bad enough, most of the signatories were controlled by the same organization on the same infrastructure. Really demonstrated that concerns about decentralization are not just pedantic or academic.

[3np]

IIRC the 9 nodes where effectively controlled by 3 sets of keys so they only had to compromise 2 to take control. And they took weeks to discover it happened. The incompetence and brazenness astonishes. Team as well as investors.

[jollofricepeas]

Weeks is a short amount of time for security detection. Most high level threat actors are in systems for months.

They’re called Advanced Persistent Threats for a reason.

No snark intended.

[3np]

Its not a short amount of time to realize that your treasury has been looted. They should have had monitoring in place before they had a percentage of the locked up value.

[jollofricepeas]

Most security professionals will tell you that even with monitoring the average MTTD is 212 days.

It’s been a big problem that needs fixing across the industry.

https://venturebeat.com/security/report-average-time-to-dete...

[3np]

I was not referring about the timeline from the breach but the timeline from the transfer of funds, which by their nature are visible by the blockchain and even with everything else failing wouldn't this be on dashboards and part of regular monitoring anywhere else?

[anonkogudhyfhhf]

The companies getting hacked are not the web3 ones like Ethereum or Terra. They are normally inside jobs with the founders stealing from the "decentralised" network they secretly control. It's the exchanges that are run like traditional business without the magic blockchain power.

[testTED]

Ethereum is not a company.

[anonkogudhyfhhf]

Not officially but in practice nothing that distinguishes it from a company

[bcrl]

Companies are easier to sue.