Today, major South Korean exchange Upbit confirmed that 342,000 Ether had been stolen from its hot wallet — funds worth an estimated $50 million. While the actor and method of attack are still unclear, Curv poses several early impressions surrounding the Upbit hack and subsequent questions it raises surrounding wallet security more broadly:
1) Why did Upbit not use a multi-sig wallet?
After a quick scan of the “hacked” transaction in block explorers, it is clear the transaction did not originate from a smart-contract multi-sig wallet but instead came from a single signature one. In our previous blog we highlighted many of the drawbacks for implementing multi-sig wallets using smart contracts for Ethereum. This includes:
a. Increased transaction fees
b. Security bugs and issues with smart contracts
c. Rotation of keys and IT hygiene
d. Compatibility — lack of support of other wallet providers for internal transactions
To date, the most likely reason many exchanges have chosen not to implement a smart-contract based multi-sig wallet for Ethereum is the compatibility issue. This results in clients not being able to receive withdrawals with incompatible wallets.
It is possible that for the above mentioned reasons and concerns, Upbit chose to not implement a multi-sig based technology for their Ethereum wallets. And, for this reason alone Ethereum was stolen in the hack.
2) Out-of-band policy — Lessons not learned from Binance
Similar to the Binance hack, there were inadequate out-of-band policy or velocity controls in place. It is important to apply these controls not only to detect but also to prevent withdrawals that do not meet the exchange’s predefined security policy. Such policies can include: an approval quorum for withdrawals on large sums, whitelisting of approved addresses and velocity controls, and limiting the amount that can be transferred from the wallets.
Using multi-party computations (MPC) Curv allows its clients to maintain the same level of protection regardless of the asset type and completely supports Ethereum without any of the above-mentioned disadvantages.
Contact us to learn how Curv can help secure your institutional wallet.
