Coin minting scams are on the rise

15 replies 245 views
quantumbearHero Member
Posts: 411 · Reputation: 2212
#1Oct 4, 2020, 04:22 PM
From exchanges to DeFi and bridges, the more innovation we see, the happier the hackers get. We had the KelpDAO exploit, the Echo eBTC exploit on Monade, and just yesterday it was about the H tokens. Did you catch the news on that? I thought it was worth sharing once I learned a bit more about how the scam unfolded. It's basically the same old story again. Three out of six Gnosis Safe owner keys that were managing the Hyperlane bridge ProxyAdmin got compromised, and on top of that, three out of five BSC Safe owner keys were also hacked. Roughly $36 million got taken. There could've been another victim, Zec, if it hadn't been caught in time.
2 Reply Quote Share
nick2013Senior Member
Posts: 209 · Reputation: 1359
#2Oct 4, 2020, 08:58 PM
I think there's no way to know if it's been used so far no? From what i've heard it would take some serious audits to know the real supply but yeah the chances someone actually spotted this vulnerability in the past are slim.
3 Reply Quote Share
quantumbearHero Member
Posts: 411 · Reputation: 2212
#3Oct 4, 2020, 11:33 PM
I do not know if new Zec has been minted, I only posted what I know about the vulnerability, that there has been no explanation. Researchers and Zcash developers have stated that they have not found signs of any exploitation, but I do not know if they were lies and bribery, but I do not think it can be like that.
0 Reply Quote Share
nick2013Senior Member
Posts: 209 · Reputation: 1359
#4Oct 5, 2020, 01:10 AM
As they say "don't trust, verify". It would take more than a statement from Zcash devs for the uncertainty around the coin to go away. At least an audit by an independent 3rd party firm with good reputation.
3 Reply Quote Share
alex2014Full Member
Posts: 225 · Reputation: 798
#5Oct 5, 2020, 06:24 PM
It's actually $36 millions in H token, correct the typo error in the ops. Like we have always stated that every new brige of protocol development exposes the project to potential attacks like this one, although the is never an access without insider's opening the back-doors, the three staff's laptops become the gateway to hit the H token. One thing that is peculiar with all this attacks is, security failure - key takeover and finally wallet draining in some cases new tokens get minted but in this case there is no such reports yet.
4 Reply Quote Share
tomdefiFull Member
Posts: 126 · Reputation: 377
#6Oct 8, 2020, 12:27 AM
Only $36?  Mate I think that's a typo Bridges and different protocols, especially on BSC, that have not been properly audited seem to have a lot of vulnerabilities, and thanks to AI, hackers are making a killing out of them. The other day I saw a video of a guy trying to explain how hackers exploit those protocols, and there might actually be more hacks than what we see in the media.
1 Reply Quote Share
quantumbearHero Member
Posts: 411 · Reputation: 2212
#7Oct 8, 2020, 01:20 AM
The best is to quote me next time just as JeromeTash did, but you still deserve at least 1 merit also. I got notification after JeromeTash quoted me for the correction. Yes, it is a typo, I have corrected it. Thanks.
2 Reply Quote Share
raven1337Hero Member
Posts: 530 · Reputation: 3357
#8Oct 8, 2020, 05:43 AM
ZEC developers have been doing formal verification to its bug and its impact, and they found no new ZEC minted from that bug. So they patched it, and try to ensure there will be no same problem to happen. If there was new ZEC minted, i believe it would already dumped to the market.
2 Reply Quote Share
alex2014Full Member
Posts: 225 · Reputation: 798
#9Oct 8, 2020, 06:58 AM
Oh yeah that is the right thing to do, but I know you are going to correct that typo error regardless if I quote you or not, you always reread your post's and correct typo's that are inputed auto from device.   anyways thanks always, latest update on the H coin exploit shown that there was no new coin minted just few hot wallets keys were gained.
2 Reply Quote Share
w0lf404Hero Member
Posts: 801 · Reputation: 2381
#10Oct 8, 2020, 07:22 AM
One proposed network improvement is for users to be able to verify the integrity of Zcash available in Orchard pools. The proposed improvement likely hasn't been implemented yet, just an emergency network patch. Well, let's hope it can actually detect excess Zcash supply on an invisible network. Some comments have suggested scenarios where verification is difficult.
6 Reply Quote Share
jake_gweiSenior Member
Posts: 346 · Reputation: 1359
#11Oct 9, 2020, 01:14 PM
Bigger question here: why the heck a coin or a token have minting mechanism, the case of H is odd because you can literally mint token out of thin air by getting ahold of the private key. Isn't that simply ridiculous? is this minting mechanism needed in the first place or is it a backdoor? we should treat coin or token with minting mechanism as malicious contract for real.
3 Reply Quote Share
fullnodeSenior Member
Posts: 222 · Reputation: 1515
#12Oct 9, 2020, 04:39 PM
It’s not three of five laptops, but rather three of five keys held on the same laptop that were compromised and which gave the attacker total control over the protocol’s infrastructure. Another three of six multisig keys were compromised on BNB chain and 1 admin hot wallet key. In total there were seven keys backed up on the same machine. This is just outright incompetence from the admins. They were not using hardware wallets and control over the keys wasn’t properly distributed, making the infected laptop a single point of failure.
2 Reply Quote Share
quantumbearHero Member
Posts: 411 · Reputation: 2212
#13Oct 9, 2020, 05:07 PM
I have also edited the part and only include three of six Gnosis Safe owner keys controlling the Hyperlane bridge ProxyAdmin were compromised, also three of five BSC Safe owner keys were also compromised. If the keys are on the same laptop, but which I do not know on the X post, that means it is truly an outright incompetent.
7 Reply Quote Share
SilentGuruSenior Member
Posts: 432 · Reputation: 1445
#14Oct 9, 2020, 10:25 PM
Even people with 0.01 BTC in their hardware wallet never store seed phrase in a laptop and yet a project with tens of million dollar worth behind it put their three private keys behind a laptop. Honestly, I find the story from them to be strange.
2 Reply Quote Share
RogueMoonFull Member
Posts: 110 · Reputation: 789
#15Oct 9, 2020, 11:54 PM
Yeah weird right? I thought this only occur before on the NFT's . But we don't know mate, maybe this is a new implementation on the crypto field? And when something is still new, it is still prone to bugs, hacks, and exploits. That is why, that we have plenty of news these days relating to them. But as soon as this age well, things can only get better as well . But a private key in crypto is like a literal key too on the real world, where it is now possible for us to operate that thing that needs this key and do certain things. They know that people are excited of the new stuff, so they think it is an added profit for them. And it is only normal that each thing can have their own backdoor, especially if they are still on trend or new like on what I said earlier.
6 Reply Quote Share
jake_gweiSenior Member
Posts: 346 · Reputation: 1359
#16Oct 10, 2020, 05:53 AM
Minting in their token contract is fine, only if they don't set total supply in aggregator sites like cmc and coingecko which implies their total supply is fixed and there won't be new minted token anymore. These tokens are shady as hell especially this one, yet somebody out there still trading it as the 24h trading volume is floating around $77m which is ridiculous.
4 Reply Quote Share

Related topics