1. Home
  2. multisig

multisig

Blast network hits $400M TVL, rebuts claim that it’s too centralized

Coin Telegraph
<div>Blast network hits 0M TVL, rebuts claim that it's too centralized</div>
blast

The Blast team responded to claims that it’s multi-signature upgrade functionality makes it too centralized.

Web3 protocol Blast network has gained over $400 million in total value locked (TVL) in the four days since it was launched, according to data from blockchain analytics platform DeBank. But in a Nov. 23 social media thread, Polygon Labs developer relations engineer Jarrod Watts claimed that the new network poses significant security risks due to centralization.

The Blast team responded to the criticism from its own X (formerly Twitter) account, but without directly referring to Watts’ thread. In its own thread, Blast claimed that the network is as decentralized as other layer-2s, including Optimism, Arbitrum, and Polygon.

Blast network claims to be “the only Ethereum L2 with native yield for ETH and stablecoins,” according to marketing material from its official website. The website also states that Blast allows a user’s balance to be “auto-compounded” and that stablecoins sent to it are converted into “USDB,” a stablecoin that auto-compounds through MakerDAO’s T-Bill protocol. The Blast team has not released technical documents explaining how the protocol works, but say they will be published when the airdrop occurs in January.

Blast was released on Nov. 20. In the intervening four days, the protocol's TVL has gone from zero to over $400 million.

Watts' original post says Blast may be less secure or decentralized than users realize, claiming that Blast “is just a 3/5 multisig.” If an attacker gets control of three out of five team members’ keys, they can steal all of the crypto deposited into its contracts, he alleged.

According to Watts, the Blast contracts can be upgraded via a Safe (formerly Gnosis Safe) multi-signature wallet account. The account requires three out of five signatures to authorize any transaction. But if the private keys that produce these signatures become compromised, the contracts can be upgraded to produce any code the attacker wishes. This means an attacker who pulls this off could transfer the entire $400 million TVL to their own account.

In addition, Watts claimed that Blast “is not a layer 2,” despite its development team claiming so. Instead, Blast simply “[a]ccepts funds from users” and “[s]takes users' funds into protocols like LIDO,'' with no actual bridge or testnet being used to perform these transactions. Furthermore, it has no withdrawal function. To be able to withdraw in the future, users must trust that the developers will implement the withdrawal function at some point in the future, Watts claimed.

Additionally, Watts claimed that Blast contains an “enableTransition” function that can be used to set any smart contract as the “mainnetBridge,” which means that an attacker could steal the entirety of users’ funds without needing to upgrade the contract.

Despite these attack vectors, Watts claimed that he does not believe Blast will lose its funds. “Personally, if I had to guess, I don't think the funds will be stolen” he stated, but also warned that “I personally think it's risky to send Blast funds in its current state.”

In a thread from its own X account, the Blast team stated that its protocol is just as safe as other layer-2s. “Security exists on a spectrum (nothing is 100% secure)” the team claimed, “and it's nuanced with many dimensions.” It may seem that a non-upgradeable contract is more secure that an upgradeable one, but this view can be mistaken. If a contract is non-upgradeable but contains bugs, “you are dead in the water,” the thread stated.

Related: Uniswap DAO debate shows devs still struggle to secure cross-chain bridges

The Blast team claims the protocol uses upgradeable contracts for this very reason. However, the keys for the Safe account are “in cold storage, managed by an independent party, and geographically separated.” In the team's view, this is a “highly effective” means of safeguarding user funds, which is “why L2s like Arbitrum, Optimism, Polygon” also use this method.

Blast is not the only protocol that has been criticized for having upgradeable contracts. In January, Summa founder James Prestwich argued that Stargate bridge had the same problem. In December, 2022, Ankr protocol was exploited when its smart contract was upgraded to allow 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) to be created out of thin air. In the case of Ankr, the upgrade was performed by a former employee who hacked into the developer’s database to obtain its deployer key.

Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Gitcoin screws up transfer, sends $460K to unrecoverable address

Coin Telegraph
Gitcoin screws up transfer, sends 0K to unrecoverable address
Coin Telegraph

Gitcoin’s project lead said the snafu has resulted in nearly half a million in funds being forever locked in a one-way contract address.

Crypto developer platform Gitcoin has admitted to losing approximately $460,000 of Gitcoin (GTC) tokens after mistakenly sending the funds to an unrecoverable contract address.

On Oct. 6, project lead “CoachJonathan” posted details of the incident on the Gitcoin governance forum. He said the transfer of GTC from the treasury was intended for a merchandise, memes, and marketing budget proposal.

However, rather than going to a multisignature address, it instead went to a GTC token contract instead.

“This has rendered the funds stuck in the contract, with no way of recovering them,” he lamented.

A total of 521,440 GTC tokens were lost in the snafu. The coin was trading at just below $0.90 at the time, making the dollar loss an estimated $461,000.

Following the transfer, Gitcoin core developers were contacted to explore whether the contract has a withdraw function or was upgradeable. It was confirmed that neither was an option, so the funds have been flagged as lost.

In light of the incident, the team has shared plans to ensure such an error never happens again and create clearer accountability if there is another incident.

“Large token holders and multisig signers have a responsibility to be extra diligent when it comes to handling funds that do not belong to them (myself included),” he concluded.

Gitcoin researcher Umar Khan commented on the forum that the DAO could consider the lost tokens a reduction in GTC supply rather than a loss of treasury funds.

Observers said “Crypto UX is sadly really broken if this can happen,”

Related: Crypto.com accidentally transferred $10.5M to client instead of $100 refund

Gitcoin is a platform to fund Web3 builders looking for open-source work. Project owners and developers can publish their projects while donors can browse a list of projects and choose what they would like to fund.

The price of GTC has fallen 1.1% over the past 24 hours and was trading at $0.889 at the time of writing. Moreover, the token is down a whopping 99% since its May 2021 all-time high of $89.62, according to CoinGecko.

Magazine: 3AC fugitives in disarray as OPNX faces new peril: Asia Express

Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

What are address poisoning attacks in crypto and how to avoid them?

Coin Telegraph
What are address poisoning attacks in crypto and how to avoid them?
Address poisoning attacks

Address poisoning attacks involve tracking, misusing or compromising cryptocurrency addresses.

Address poisoning attacks are malicious tactics used by attackers who can reroute traffic, interrupt services, or obtain unauthorized access to sensitive data by inserting bogus data or changing routing tables. The integrity of data and network security are seriously threatened by these assaults, which take advantage of flaws in network protocols.

This article will explain what address poisoning attacks are, their types and consequences, and how to protect oneself against such attacks.

Address poisoning attacks in crypto, explained

In the world of cryptocurrencies, hostile actions where attackers influence or deceive consumers by tampering with cryptocurrency addresses are referred to as address poisoning attacks.

On a blockchain network, these addresses, which are made up of distinct alphanumeric strings, serve as the source or destination of transactions. These attacks use a variety of methods to undermine the integrity and security of cryptographic wallets and transactions.

Address poisoning attacks in the crypto space are mostly used to either illegally acquire digital assets or impair the smooth operation of blockchain networks. These attacks may encompass:

Theft

Attackers may trick users into transmitting their funds to malicious addresses using strategies such as phishing, transaction interception or address manipulation.

Disruption

Address poisoning can be used to disrupt the normal operations of blockchain networks by introducing congestion, delays or interruptions in transactions and smart contracts, reducing the effectiveness of the network.

Deception

Attackers frequently attempt to mislead cryptocurrency users by posing as well-known figures. This undermines community trust in the network and might result in erroneous transactions or confusion among users.

To protect digital assets and the general integrity of blockchain technology, address poisoning attacks highlight the significance of strict security procedures and constant attention within the cryptocurrency ecosystem.

Related: How to mitigate the security risks associated with crypto payments

Types of address poisoning attacks

Address poisoning attacks in crypto include phishing, transaction interception, address reuse exploitation, Sybil attacks, fake QR codes, address spoofing and smart contract vulnerabilities, each posing unique risks to users’ assets and network integrity.

Phishing attacks

In the cryptocurrency realm, phishing attacks are a prevalent type of address poisoning, which involves criminal actors building phony websites, emails or communications that closely resemble reputable companies like cryptocurrency exchanges or wallet providers.

These fraudulent platforms try to trick unsuspecting users into disclosing their login information, private keys or mnemonic phrases (recovery/seed phrases). Once gained, attackers can carry out unlawful transactions and get unauthorized access to victims’ Bitcoin (BTC) assets, for example.

For instance, hackers might build a fake exchange website that looks exactly like the real thing and ask consumers to log in. Once they do so, the attackers can gain access to customer funds on the actual exchange, which would result in substantial financial losses.

Transaction interception

Another method of address poisoning is transaction interception, in which attackers intercept valid cryptocurrency transactions and change the destination address. Funds destined for the genuine receiver are diverted by changing the recipient address to one under the attacker’s control. This kind of attack frequently involves malware compromising a user’s device or network or both.

Address reuse exploitation

Attackers monitor the blockchain for instances of address repetition before using such occurrences to their advantage. Reusing addresses can be risky for security because it might reveal the address’s transaction history and vulnerabilities. These weaknesses are used by malicious actors to access user wallets and steal funds.

For instance, if a user consistently gets funds from the same Ethereum address, an attacker might notice this pattern and take advantage of a flaw in the user’s wallet software to access the user’s funds without authorization.

Sybil attacks

To exert disproportionate control over a cryptocurrency network’s functioning, Sybil attacks entail the creation of several false identities or nodes. With this control, attackers are able to modify data, trick users, and maybe jeopardize the security of the network.

Attackers may use a large number of fraudulent nodes in the context of proof-of-stake (PoS) blockchain networks to significantly affect the consensus mechanism, giving them the ability to modify transactions and potentially double-spend cryptocurrencies.

Fake QR codes or payment addresses

Address poisoning can also happen when fake payment addresses or QR codes are distributed. Attackers often deliver these bogus codes in physical form to unwary users in an effort to trick them into sending cryptocurrency to a location they did not plan.

For example, a hacker might disseminate QR codes for cryptocurrency wallets that look real but actually include minor changes to the encoded address. Users who scan these codes unintentionally send money to the attacker’s address rather than that of the intended receiver, which causes financial losses.

Address spoofing

Attackers who use address spoofing create cryptocurrency addresses that closely resemble real ones. The idea is to trick users into transferring money to the attacker’s address rather than the one belonging to the intended recipient. The visual resemblance between the fake address and the real one is used in this method of address poisoning.

An attacker might, for instance, create a Bitcoin address that closely mimics the donation address of a reputable charity. Unaware donors may unintentionally transfer money to the attacker’s address while sending donations to the organization, diverting the funds from their intended use.

Smart contract vulnerabilities

Attackers take advantage of flaws or vulnerabilities in decentralized applications (DApps) or smart contracts on blockchain systems to carry out address poisoning. Attackers can reroute money or cause the contract to behave inadvertently by fiddling with how transactions are carried out. Users may suffer money losses as a result, and decentralized finance (DeFi) services may experience disruptions.

Consequences of address poisoning attacks

Address poisoning attacks can have devastating effects on both individual users and the stability of blockchain networks. Because attackers may steal crypto holdings or alter transactions to reroute money to their own wallets, these assaults frequently cause large financial losses for their victims.

Beyond monetary losses, these attacks may also result in a decline in confidence among cryptocurrency users. Users’ trust in the security and dependability of blockchain networks and related services may be damaged if they fall for fraudulent schemes or have their valuables stolen.

Additionally, some address poisoning assaults, such as Sybil attacks or the abuse of smart contract flaws, can prevent blockchain networks from operating normally, leading to delays, congestion or unforeseen consequences that have an effect on the entire ecosystem. These effects highlight the need for strong security controls and user awareness in the crypto ecosystem to reduce the risks of address poisoning attacks.

Related: How to put words into a Bitcoin address? Here’s how vanity addresses work

How to avoid address poisoning attacks

To protect users’ digital assets and keep blockchain networks secure, it is crucial to avoid address poisoning assaults in the cryptocurrency world. The following ways may help prevent being a target of such attacks:

Use fresh addresses

By creating a fresh crypto wallet address for each transaction, the chance of attackers connecting an address to a person’s identity or past transactions can be decreased. For instance, address poisoning attacks can be reduced by using hierarchical deterministic (HD) wallets, which create new addresses for each transaction and lessen the predictability of addresses.

Utilizing an HD wallet increases a user’s protection against address poisoning attacks because the wallet’s automatic address rotation makes it more difficult for hackers to redirect funds.

Utilize hardware wallets

When compared to software wallets, hardware wallets are a more secure alternative. They minimize exposure by keeping private keys offline.

Exercise caution when disclosing public addresses

People should exercise caution when disclosing their crypto addresses in the public sphere, especially on social media sites, and should opt for using pseudonyms.

Choose reputable wallets

It is important to use well-known wallet providers that are known for their security features and regular software updates to protect oneself from address poisoning and other attacks.

Regular updates

To stay protected against address poisoning attacks, it is essential to update the wallet software consistently with the newest security fixes.

Implement whitelisting

Use whitelisting to limit transactions to reputable sources. Some wallets or services allow users to whitelist particular addresses that can send funds to their wallets.

Consider multisig wallets

Wallets that require multiple private keys to approve a transaction are known as multisignature (multisig) wallets. These wallets can provide an additional degree of protection by requiring multiple signatures to approve a transaction.

Utilize blockchain analysis tools

To spot potentially harmful conduct, people can track and examine incoming transactions using blockchain analysis tools. Sending seemingly trivial, small quantities of crypto (dust) to numerous addresses is a common practice known as dusting. Analysts can spot potential poisoning efforts by examining these dust trade patterns.

Unspent transaction outputs (UTXOs) with tiny amounts of cryptocurrency are frequently the consequence of dust transactions. Analysts can locate possibly poisoned addresses by locating UTXOs connected to dust transactions.

Report suspected attacks

Individuals should respond right away in the event of a suspected address poisoning attack by getting in touch with the company that provides their crypto wallet through the official support channels and detailing the occurrence.

Additionally, they can report the occurrence to the relevant law enforcement or regulatory authorities for further investigation and potential legal action if the attack involved considerable financial harm or malevolent intent. To reduce possible risks and safeguard both individual and group interests in the cryptocurrency ecosystem, timely reporting is essential.

Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Web3 Must Overcome Significant UX Challenges to Reach Mass Adoption

Bitcoin.com
Web3 Must Overcome Significant UX Challenges to Reach Mass Adoption
bitcoin.com
Web3 Must Overcome Significant UX Challenges to Reach Mass AdoptionUser experience (UX) design affects nearly every waking moment of our lives. It’s not just digital either. Have you ever thought about the UX of doors? Perhaps a brief refresher of what UX is, will help. A useful definition of UX is as follows: ”A person’s perception and responses that result from the use or […]
Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Blockstream dreams up a whole new type of multisig called ROAST

Coin Telegraph
Blockstream dreams up a whole new type of multisig called ROAST
Blockstream

In particular, ROAST has been posited as a signature standard that could work with, and improve, threshold signature schemes such as FROST (Flexible Round-Optimized Schnorr Threshold Signatures).

The research unit of Bitcoin (BTC)-focused blockchain tech firm Blockstream has published a proposal for a new type of multisig standard called Robust Asynchronous Schnorr Threshold Signatures (ROAST).

It hopes to avoid the problem of transaction failures due to absent or even malicious signers and can work at scale.

The term multisig or multisignature, refers to a method of transaction in which two or more signatures are required to sign off before it can be executed. The standard is widely adopted in crypto.

According to a May 25 blog post from Blockstream research, the basic idea of ROAST is to make transactions between the Bitcoin network and Blockstream’s sidechain Liquid more efficient, automated, secure and private.

In particular, ROAST has been posited as a signature standard that could work with, and improve, threshold signature schemes such as FROST (Flexible Round-Optimized Schnorr Threshold Signatures):

“ROAST is a simple wrapper around threshold signature schemes like FROST. It guarantees that a quorum of honest signers, e.g., the Liquid functionaries, can always obtain a valid signature even in the presence of disruptive signers when network connections have arbitrarily high latency.”

The researchers highlighted that while FROST can be an effective method for signing off on BTC transactions, its structure of coordinators and signers is designed to abort transactions in the presence of absent signers, making it secure but suboptimal for “automated signing software.”

To solve this problem, the researchers say that ROAST can guarantee enough reliable signers on each transaction to avoid any failures,and it can be done at a scale much larger than the 11-of-15 multisig standard that Blockstream primarily utilizes.

“Our empirical performance evaluation shows that ROAST scales well to large signer groups, e.g., a 67-of-100 setup with the coordinator and signers on different continents,” the post reads, adding that:

“Even with 33 malicious signers that try to block signing attempts (e.g. by sending invalid responses or by not responding at all), the 67 honest signers can successfully produce a signature within a few seconds.”

To provide a simple explanation of how ROAST works, the team used an analogy of democratic council responsible for legislation of “Frostland.”

Essentially, the argument is given that it can be complicated to get legislation (transactions) signed off in Frostland as there are a myriad of factors at any given time which can result in the majority of council members suddenly being unavailable or absent.

A procedure (ROAST) to counteract this, is for a council secretary to compile and maintain a large enough list of supporting council members (signers) at any given time, so that there is always enough members to get legislation through.

“If at least seven council members actually support the bill and behave honestly, then at any point in time, he knows that these seven members will eventually sign their currently assigned copy and be re-added to the secretary’s list.”

“Thus the secretary can always be sure that seven members will be on his list again at some point in the future, and so the signing procedure will not get stuck,” the post adds.

Related: ‘DeFi is not decentralized at all,’ says former Blockstream executive

ROAST is part of a collaboration between Blockstream researchers Tim Ruffing and Elliott Jin, Viktoria Ronge and Dominique Schröder from the University of Erlangen-Nuremberg and Jonas Schneider-Bensch from the CISPA Helmholtz Center for Information Security.

Accompanying the blog post, the researchers also linked to a 13 page research paper which gives a run down of ROAST in greater detail.

Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Bitcoin.com Wallet Adds Support For Multisig (Shared) Wallets

Bitcoin.com
Bitcoin.com Wallet Adds Support For Multisig (Shared) Wallets
bitcoin.com
Bitcoin.com Wallet Adds Support For Multisig (Shared) WalletsThe Bitcoin.com Team is excited to announce support for shared (multisig) wallets for Bitcoin and Bitcoin Cash in the Bitcoin.com Wallet. That means you can protect your most valuable wallets with a unique form of two-factor authentication, set up a corporate treasury, safely introduce your kids to Bitcoin, and more. What Are Shared Wallets? […]
Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Poly Network Says Stolen User Assets on ETH Have Been Returned, Except Frozen USDT

Bitcoin.com
Poly Network Says Stolen User Assets on ETH Have Been Returned, Except Frozen USDT
$600 Million
Poly Network Says Stolen User Assets on ETH Have Been Returned, Except Frozen USDTOn Friday, a few days after the initial hack for $611 million, the Poly Network project detailed that the company has obtained all the assets stolen minus the frozen tether that was blacklisted by Tether Limited. The Poly Network team said they are in control of the funds along with “Mr. White Hat,” but the […]
Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Poly Network Hacker Says ‘In the Defi World Code Is Law’ While Returning Millions in Defi Tokens

Bitcoin.com
Poly Network Hacker Says ‘In the Defi World Code Is Law’ While Returning Millions in Defi Tokens
$600 Million
Poly Network Hacker Says ‘In the Defi World Code Is Law’ While Returning Millions in Defi TokensTwo days after the notorious Poly Network hack, the hacker continues to send funds back to the project. On August 12, the Poly Network hacker so far has returned millions worth of ether, thousands of uni tokens, 1,032 wrapped bitcoins, and 96 million in stablecoins. The day prior, after returning $260 million in tokens, the […]
Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Poly Network Defi Hacker Returns a Large Fraction of Tokens, Chainalysis Evaluates Hacker’s Onchain Movements

Bitcoin.com
Poly Network Defi Hacker Returns a Large Fraction of Tokens, Chainalysis Evaluates Hacker’s Onchain Movements
$260 Million
Poly Network Defi Hacker Returns a Large Fraction of Tokens, Chainalysis Evaluates Hacker’s Onchain MovementsOn August 11, the blockchain intelligence firm Chainalysis published its findings on the recent Poly Network hack which saw the loss of approximately $611 million crypto tokens. The assessment from Chainalysis backed up the claims made by the security company called Slowmist that shows the hacker left a fingerprint on the relatively unknown exchange Hoo.com. […]
Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

Poly Network Hacker Returns $4.7M in Funds — Attacker Asks Devs to Unlock Frozen Tether Stash

Bitcoin.com
Poly Network Hacker Returns .7M in Funds — Attacker Asks Devs to Unlock Frozen Tether Stash
$4.7 Million
Poly Network Hacker Returns .7M in Funds — Attacker Asks Devs to Unlock Frozen Tether StashOn Tuesday, the decentralized finance (defi) project Poly Network was hacked for over $600 million in digital assets. The attack was the largest defi hack to date eclipsing all of 2021’s defi hacks combined. The very next day, however, the hacker started to send funds back to the Poly Network team as the project’s official […]
Read more
Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast ,000,000 Crypto Exploit

Gone in 12 Seconds: Two MIT-Educated Brothers Arrested for Alleged Lightning-Fast $25,000,000 Crypto Exploit

WordPress Theme by cactus.com
Close

Share this video