Hacker News new | ask | show | jobs
by primitivesuave 86 days ago
Missing from the article - the hacker first compromised Resolv Lab's AWS account, took a private key from KMS that was used to control minting, then managed to extract $25 million into ETH before all protocol functions were suspended.
3 comments
WatchDog 86 days ago
> took a private key from KMS

They used KMS to sign the minting operation, but they didn't "take" the key, AWS KMS doesn't let you extract keys.

link
pants2 86 days ago
^ this is a common security misconception in crypto. "We're using an HSM, they can't steal our private key." OK genius now you still have to secure the HSM.

There's no shortcut to MPC/multisig with 3+ keyholders.

link
Ferret7446 86 days ago
It's still significantly better, since access can be revoked, vs a leaked key where you're permanently fucked
link
pants2 86 days ago
Not much better because even a single signature can drain your whole wallet.
link
WatchDog 86 days ago
> you still have to secure the HSM

Obviously.

> There's no shortcut to MPC/multisig with 3+ keyholders.

The whole concept of a stablecoin seems to be based on centralised trust. Ultimately there is some org that has the fiat bank account, that mints and redeems the coins.

link
idiotsecant 86 days ago
Nope, that is the foundation of bad stablecoin. Trustless decentralized stablecoin like DAI exist. People just largely don't do their homework and prefer scams that lure them in with promises of 'yield'
link
Hendrikto 86 days ago
DAI and SKY are backed in large part by USDC, so they are not truly decentralized. It is possible in theory, but nobody has successfully done it so far.
link
killerstorm 86 days ago
It's possible in practice: that's how DAI worked originally. It's just not very competitive where the main customer -- traders -- want a lot of liquidity and razor thin spread.
link
idiotsecant 85 days ago
DAI made some dumb decisions for market reasons recently but it was an actual stablecoin for a long time. It worked fine, they just decided to make it worse for some reason.
link
thebiblelover7 86 days ago
Do you have a source for that information? I'd like to read more on it.
link
layer8 86 days ago
https://www.chainalysis.com/blog/lessons-from-the-resolv-hac...

https://xcancel.com/zacodil/status/2035658779706974556

link
abrookewood 86 days ago
It's explicitly mentioned in the article:

A step by step breakdown of the attack Step 1. Gaining Access to Resolv’s AWS KMS Environment

link
leonidasv 86 days ago
The link was changed, the old one did not mention it (apparently): https://news.ycombinator.com/item?id=47498220
link
rithdmc 86 days ago
Thank you! I was scratching my head at this, having seen 'Step 1'
link