-
Main Channel t.me/blockchain_lobsters
Like realistically how would that even work. Fine if all validators came together within like minutes but now it would be a nightmare. Also if you roll back, where do you stop? Do you roll back if CIA hacks a DPRK exchange ? You get into weird political areas very quickly like truck protestors in Canada etc
Читать полностью…
windows can do the same secure boot sequence as well
nonetheless a minimal OS could be hardened a lot easier than macOS or windows.
seems like a niche market as. bigger firms might already use solutions from fireblocks and others.
could find some supporters if someone builds a minimal OS for that specific purpose.
additionally one could limit interactions to a few whitelisted smart contracts. frontends would be still at risk of getting compromised, whitelisting domains would only improve security that users wouldn't browse the web with the signer devices.
the goal should not be to protect the key, but minimize the attack surface to compromise what the signers thinks that he sees.
https://x.com/zerototom/status/1892578189278388519?s=45
any DeFi is providing this kind of yield farming strategy?
https://governance.aave.com/t/arfc-susde-and-usde-price-feed-update/20495/17
Yeah, but if USDe falls, AAVE will suffer
with that much money on the line, can certainly afford a dedicated machine
Читать полностью…
all might be accessing the url through a tailscale installed machine
Читать полностью…
Did this have anything to do with having a separate laptop? All signers got a message from the right url. Your second point about reading hex seems to apply here. But how could this have been engineered? Through safe?
Читать полностью…
I'm going to make it possible by rolling out a stablecoin that even if hacked can always be recovered through rebasing. It's in my roadmap
Читать полностью…
There is work being done in this area. I have written a paper on this. Also, these guys are also working on this https://resolv.finance/
Читать полностью…
some recoverable ERC-20s could be one option but that will just complicate whole trustless assumptions if assets can be recalled within a time-frame, not end of the world but leaves out some use-cases
Читать полностью…
Fair, maybe need external simulators in between sites and signing
Читать полностью…
I'm not a security expert but wondering:
- regarding secure boot, I think MacOS can do the same effectively
- for isolated browser tabs, Firefox containers or similar
https://fixvx.com/rajgokal/status/1893194119675064726?s=52&t=R_8T82mC-3nkWjlo90ZV1Q
Читать полностью…
https://x.com/bl4ckb1rd71/status/1892980895260516472
Читать полностью…
https://www.bybit.com/en/press/live/eth-wallet-incident
Читать полностью…
do you think our industry has this earnestness yet?
Читать полностью…
No, I compromise your machine with a PDF or a Zoom link, I spoof the frontend entirely of Safe on your local machine, and when you submit a real transaction through my fake interface, I pass a hack transaction to your hardware wallet, which you then sign.
Man-in-the-middle attack vector, works because nobody reads hardware wallet hex to figure out what they're signing. Solution is to have a machine that isn't easy to compromise because you only use it for that one task (signing transactions)
One of the signers using mobile app safe prob wouldve stopped it too
Читать полностью…
These weren't even ERC20s that were stolen, it was native ETH. ERC20 schemes have no place in this discussion, when proper signer best-practices would have stopped the entire thing cold
Читать полностью…
I never worry about my funds at Aave or Morpho. But it seems that every cycle a CEX and custodian blows up
Читать полностью…
they were simply served a fake Safe UI through dns spoofing sers. easy as that. it has nothing to do with the actual Safe you are seeing :D
Читать полностью…
I’m afraid it won’t necessarily help much as it takes a second to realize unauthorized exploit and by that time the assets are sold
Читать полностью…
It basically shows everything correct for your desired tx, just inserts the malicious calldata at the signing stage
Читать полностью…