Why many crypto currencies use the same securities for large transfer and small?

[pornluver]

Recently ronin bridge got hacked

https://coingeek.com/axie-infinity-ronin-bridge-hacked-for-over-600m-in-eth-and-usdc/

So the hacker just stole $600 million.

The reason why the hacker can do that is because ronin bridge requires only 5 out of 9 keys. The hacker got 5.

And the solution is to increase the number of approval requirement to 8.

Here is the problem with that issue.

Someone withdrawing 1 eth and someone withdrawing 200k eth need to be approved by the same number of nodes.

Does that even make sense?

Surely there should be more security for larger amount of money.

In fact, an address should be prevented from receiving say more than 100 ETH per hour unless it has a special permissions, for example.

[slackovic]

I never understood why projects with multisig wallets don't require all signatures to be valid in order to move money. I'm not sure if it is possible to put a limit like you said (for example, 5 out of 9 signatures to withdraw 1 ETH and all 9 signatures to withdraw 200 ETH). But why not require all signatures to withdraw funds from a smart contract? I'm guessing a withdrawals are not that often so the requirement of all signatures would bring more security.

[Bttzed03]

If it will be based on value, isn't that similar to a bank personnel calling the check issuer for large payments to confirm if it's a legitimate transaction or asking approval from his/her boss before releasing huge withdrawals? It just doesn't sound right especially if we're talking about blockchain.

~ But why not require all signatures to withdraw funds from a smart contract?

Better. Regardless of amount.

[hugeblack]

In fact, an address should be prevented from receiving say more than 100 ETH per hour unless it has a special permissions, for example.

You made me laugh, if this line implemented, Ethereum will be centralized, worse than fiat money. So think about finding more creative solutions.

Personally, I see that hacking these bridges is not an easy thing, which means that either hacker is smart, and here we find that mixing the Ethereum mixer is difficult/takes years to ensure its success, or he is one of the members of that platform who's trying to obtain legal funds and/or prove that these bridges are defective In essence (a core loophole.)

In any case, if you want to swap/exchange between cryptocurrencies, either you trust centralized services or use truly Dexs.

[slackovic]

In fact, an address should be prevented from receiving say more than 100 ETH per hour unless it has a special permissions, for example.

You made me laugh, if this line implemented, Ethereum will be centralized, worse than fiat money. So think about finding more creative solutions.

Yeah, no one can and will implement a limit to receive or send funds in crypto. That doesn't make sense... But as I suggested, multisig wallets that don't withdraw funds often should require all signatures for a withdrawal. That wouldn't make it 100% secure but it would be more secure than to require signatures only 50% of the owners.

[pornluver]

If it will be based on value, isn't that similar to a bank personnel calling the check issuer for large payments to confirm if it's a legitimate transaction or asking approval from his/her boss before releasing huge withdrawals? It just doesn't sound right especially if we're talking about blockchain.

~ But why not require all signatures to withdraw funds from a smart contract?

Better. Regardless of amount.

Yes. Precisely. Actually that's the common sense. Also bridge is the weakest point of ronin. Withdrawing from bridge should have had more security

[lobo13hf]

The reason why the hacker can do that is because ronin bridge requires only 5 out of 9 keys. The hacker got 5.

And the solution is to increase the number of approval requirement to 8.

There was a backdoor and this discovered by the hacker. In this case the team was also making a big mistake by not doing regular checking.
They did know their ronin got hacked a week after. This is also the worst part in this case.

Here is the problem with that issue.

Someone withdrawing 1 eth and someone withdrawing 200k eth need to be approved by the same number of nodes.

Basically, this is not a problem but the problem is the backdoor let the hacker sign malicious signature. The privatekey leaked and it got hacked.

Does that even make sense?

that makes sense. BSC was also using small amounts of node as well.

Surely there should be more security for larger amount of money.

In fact, an address should be prevented from receiving say more than 100 ETH per hour unless it has a special permissions, for example.

It will make the dapps become capps (centrazed application)

People can do whatever they want with their money. In this case the dev is having responsibility to take care with regular audit to its security to ensure the network was safe.

[batang_bitcoin]

The best thing is to do always an update and checking on most parts of their system. Hacker attacks at most vulnerable time that they can see together when they've seen the opportunity in the system.
Having a permission before withdrawing huge amounts, won't happen. That isn't needed unless they really have became a fully centralized project and they have to verify each huge withdrawal.

[vv181]

If it will be based on value, isn't that similar to a bank personnel calling the check issuer for large payments to confirm if it's a legitimate transaction or asking approval from his/her boss before releasing huge withdrawals? It just doesn't sound right especially if we're talking about blockchain.

Yes. Precisely. Actually that's the common sense. Also bridge is the weakest point of ronin. Withdrawing from bridge should have had more security

That's not so common in these cryptocurrency worlds. Technically, some may say that the underlying of the network is semi-centralized, but to completely use how the system/analogy around the centralized system work won't solve it either, especially if you are stating that it's better to limit how many tokens/coins an address can receive. A large transaction should be taken with more precatory measures (Like in Bitcoin, the more confirmation, the harder attacker could attack it) rather than just simply differentiating the value of the amount being transacted.

[batang_bitcoin]

The best thing is to do always an update and checking on most parts of their system. Hacker attacks at most vulnerable time that they can see together when they've seen the opportunity in the system.
Having a permission before withdrawing huge amounts, won't happen. That isn't needed unless they really have became a fully centralized project and they have to verify each huge withdrawal.

That's why we can't do anything without knowing the level of security and how to check the system that is owned, because the actual hackers are more eager to the system compared to us, so need seriousness to check every time with small and large issues, except as you convey, except The project has been centralized and strong every major withdrawal is done

It should be a practice, every company does that and they're investing heavily into security because that's going to cost them more if they don't. And just like with the example, due to their lack of security and practice of checking it once in a while, they've got a huge hole in their faucet.
Which has cost them by the hundreds of millions and that's already in the history for having the largest network hack in the current time. Well, they've learned expensively on this experience.

[Teraboy]

Ronin bridge has only 5 validators and all were hacked by the hackers. The only problem is if the team didn't aware if there was a bug that can still be exploited and in this case if validators are not the main problem.
The main problem if the team was not locking the allowlist. It's still allowing the validator that used by axiedao to sign in.
This must be blocked. Man, more than 150k ethereum were lots. Axie team needs to do a hardwork to recover it again.

[cryptoaddictchie]

Ronin bridge has only 5 validators and all were hacked by the hackers. The only problem is if the team didn't aware if there was a bug that can still be exploited and in this case if validators are not the main problem.
The main problem if the team was not locking the allowlist. It's still allowing the validator that used by axiedao to sign in.
This must be blocked. Man, more than 150k ethereum were lots. Axie team needs to do a hardwork to recover it again.

There are some speculations that the team behind this but this is a big accusation. Of course I dont believe it, since the team is quite dedicated on the game. But for some players and investors, its really frustrating that a big firm would still fall on this, I think the lack of validator makes this easy for a smart hacker but his really good if he planned this all out or just a hobby. Meaning the axie security isnt safe as we know it.

[slackovic]

Ronin bridge has only 5 validators and all were hacked by the hackers. The only problem is if the team didn't aware if there was a bug that can still be exploited and in this case if validators are not the main problem.
The main problem if the team was not locking the allowlist. It's still allowing the validator that used by axiedao to sign in.
This must be blocked. Man, more than 150k ethereum were lots. Axie team needs to do a hardwork to recover it again.

OK, does anyone know was the problem in some sort of a bug or was that an inside job? Because I too read somewhere that it could have been an inside job but never could verify that story. If that's true, then unfortunately it just serves as the evidence that multisig wallets are not the best idea when it comes to security because at some point someone won't be able to resist a temptation to steal a lot of money.

[Emitdama]

You do know that there is no way that you can prevent or limit how much that an address can receive. That is not going to work because it is a decentralized platform. So, the best thing that they would have to do is to work on their security. What I would agree with is that they should work on increasing the number of approval requirements.

Instead of making it five out of nine keys being required for a transaction to be carried out, it should be the whole key being required for approval of the transaction. That’s where it would have been far much better and also more safe then it is now. Unless they have any other better solution to the problem then this opinion, then they can go for that.

[perfect999]

The best thing is to do always an update and checking on most parts of their system. Hacker attacks at most vulnerable time that they can see together when they've seen the opportunity in the system.
Having a permission before withdrawing huge amounts, won't happen. That isn't needed unless they really have became a fully centralized project and they have to verify each huge withdrawal.

Yes, regular updates on their security system is going to work out in helping them out avoid attacks from hackers. What hackers do is to exploit any Holes that they see in the system of an exchange to steal from them. So, if the platform would make it their duty to always be checking their system and seeing how secure it is, then it’s really going to go a long way in helping them.

This shouldn’t even be something that they are struggling with today, we have had several occasions of exchanges being hacked in the past, so I believe that all those events that have taken place before should have served as a lesson for the new exchanges that we have today, in making sure that they maintain their security standards to a high level. So I’m really surprised when I see some exchanges being hacked easily today.

[poodle63]

As long as the transactions need to be confirmed at least a few nodes and i think this is enough to keep the security for the token itself. The main problem is when these nodes are getting hacked and that was creating a lot of problem to the tokens. Big and small transactions are the same in front of the nodes. That's why so many validatoirs will make the blockchain become even safer than the blockchain with only a few nodes.
The security totally depend on how many validators active in the blockchain. As you can see as long as nothing happen with validators and there will be no problem.