The news about the latest exchange that was hacked earlier this week, with hackers netting over $5 million, brings up a big inconvenient truth: no matter how much financial institutions that handle cryptocurrency invest in security measures – they still seem to be vulnerable to attacks.
Not much has been published yet about the Eterbase attack, with many questions still looming over the incident, but from what’s known so far – hackers gained access to users’ private keys by breaking into the hot wallet used by Eterbase.
It’s a chilling reminder that all hot wallets – including those employing advanced Multi Party Computation (MPC) – can be breached. In theory, MPC technology offers a robust security solution: it’s based on splitting private keys into shards and dividing these shards to multiple co-signers – each running their designated part in the signing ceremony. Only by getting all or most of co-signers to sign on their designated part enables the signing of the transaction.
While there are several MPC implementations in the market today, they all share two common flaws that make them vulnerable to attacks:
One might ask, “OK, why not just add many more co-signers to the network, giving hackers a hard time?”. Here’s the catch: expanding the MPC network to include more co-signers is not a feasible option, as it creates serious performance implications, making legitimate transactions to the blockchain slow and inefficient. that’s why the largest MPC networks in the market today typically don’t exceed 3 PCs. And here’s the bad news: hackers don’t event need to break into all 3. Why is that? The answer lies in the second vulnerability that MPC hot wallets suffer from:
MPC networks are typically programmed in a way that once the majority of co-signers in the network (typically 2 out of 3) provide their shard of the transaction, the transaction is signed and sent to the blockchain. What this means for hackers, is that they simply need to hack into one or two additional PCs to complete their takeover of the valuable keys. While this entails considerably more effort from the hacker, in today’s lucrative crypto market, the reward dwarfs the effort required to breaking into a hot wallet.
Bottom line: exchanges and banks offering digital assets must rethink their security strategy to avoid finding themselves in Eterbase’s spot.