| ▲ | primitivesuave 12 hours ago |
| Missing from the article - the hacker first compromised Resolv Lab's AWS account, took a private key from KMS that was used to control minting, then managed to extract $25 million into ETH before all protocol functions were suspended. |
|
| ▲ | WatchDog 6 hours ago | parent | next [-] |
| > took a private key from KMS They used KMS to sign the minting operation, but they didn't "take" the key, AWS KMS doesn't let you extract keys. |
| |
| ▲ | pants2 5 hours ago | parent [-] | | ^ this is a common security misconception in crypto. "We're using an HSM, they can't steal our private key." OK genius now you still have to secure the HSM. There's no shortcut to MPC/multisig with 3+ keyholders. | | |
| ▲ | Ferret7446 5 hours ago | parent | next [-] | | It's still significantly better, since access can be revoked, vs a leaked key where you're permanently fucked | |
| ▲ | WatchDog 5 hours ago | parent | prev [-] | | > you still have to secure the HSM Obviously. > There's no shortcut to MPC/multisig with 3+ keyholders. The whole concept of a stablecoin seems to be based on centralised trust.
Ultimately there is some org that has the fiat bank account, that mints and redeems the coins. | | |
| ▲ | idiotsecant an hour ago | parent [-] | | Nope, that is the foundation of bad stablecoin. Trustless decentralized stablecoin like DAI exist. People just largely don't do their homework and prefer scams that lure them in with promises of 'yield' |
|
|
|
|
| ▲ | thebiblelover7 11 hours ago | parent | prev | next [-] |
| Do you have a source for that information? I'd like to read more on it. |
| |
|
| ▲ | abrookewood 7 hours ago | parent | prev [-] |
| It's explicitly mentioned in the article: A step by step breakdown of the attack
Step 1. Gaining Access to Resolv’s AWS KMS Environment |
| |
