Braavos Wallet Hack Challenge With $150k USDC Wallet Balance

[taufik123]

Braavos Wallet provides a challenge for anyone who can break into and withdraw the $150k USD in the wallet that Braavos provides.
Braavos gives a Seed Phrase

Code:

family nature fashion project scrub obscure bus crop coconut ship person winner

But Braavos also said that the wallet is secured by Braavos' 2FA hardware signer.
So until now no one has been able to withdraw $150k USD from the wallet, but many have been able to open the wallet.

Can security like Hardware Signer 2FA like this be hacked?


https://twitter.com/myBraavos/status/1755140273254891656

[NotATether]

A "hardware signer 2fa" is actually just a hardware security module that is made really tiny and inserted inside the hardware wallet.

There are commercial implementations of HSMs that cost thousands of dollars and are used by AWS, Azure, and other services, for instance.

And yes they are not easy to be hacked, but that doesn't mean they are unhackable: https://medium.com/@wainblat/how-to-hack-an-hardware-security-module-hsm-e028d0145d95

Therefore it is theoretically possible to hack the HSM that is inside Braavos' hardware signer.

[AB de Royse777]

Nice marketing strategy. Before now, I never heard of Braavos, after reading the topic I did some finding and discovered it's a hardware wallet.

Anyone please help me understand Electrum 2FA wallet first. I always thought once I have the wallet seed, then no matter if the wallet is encrypted with a password or have 2FA, I can always restore the wallet. Was I wrong? I never needed a 2FA wallet.

[apogio]

I don't have an X account so the only thing I see is a seed phrase.

The seed phrase is a BIP39 seed phrase that leads to an empty wallet.

The 2FA mechanism, in my opinion, is another way of saying:
1. "we give you one of the cosigners in a multisig vault, where the other one is held by us"
2. "we give you the seed phrase and we hold the passphrase"

In both occasions, the wallet that is produced by the seed phrase above is totally different than the one produced in occasions (1) and (2).

Nice marketing strategy. Before now, I never heard of Braavos, after reading the topic I did some finding and discovered it's a hardware wallet.

Anyone please help me understand Electrum 2FA wallet first. I always thought once I have the wallet seed, then no matter if the wallet is encrypted with a password or have 2FA, I can always restore the wallet. Was I wrong? I never needed a 2FA wallet.

Hi! I think my answer above answers your question. The seed phrase is always enough to restore a wallet. But if the wallet is produced using a passphrase, then it is essentially a totally different wallet. If the wallet is a multisig, then again it is a totally different wallet. Thus, the experiment above is not valid, unless I understand something wrong.

I can give you my seed phrase. I am very confident that I will not be hacked because I have added a random passphrase of >256 bits of entropy.

So essentially if I give you my seed phrase, you will see no coins inside, unless you manage to brute force my passphrase, which will never happen, so the only option is to beat me or threaten me.

And if what I say is correct, then I have already done it with Electrum, Sparrow, BS Green and many more wallets.

Therefore, I agree with you, it's a marketing trick.

[satscraper]

But Braavos also said that the wallet is secured by Braavos' 2FA hardware signer.

Ha ha ha, round of applause,    they want us to step onto dead-end road of  breaking multisig wallet.

One should consider this as the perfect promotion of any multisig wallet with HSM cosigner rather then wise marketing of their own product, namely,  Braavos wallet.

Only dansky can catch this.

Anyone please help me understand Electrum 2FA wallet first. I

In fact this is 2-of-3 multisig wallet. Two of those keys belong to you (one of them is "hidden' and available  to you only at restore option)   while the third key is stored  on remote server ( TrustedCoin).

[dkbit98]

Can security like Hardware Signer 2FA like this be hacked?

First time I heard about this junk, but I think it's closed source hot wallet, so you never know what is hidden in their code.
From what I understand they are using biometrics (probably fingerprint) so if you have that you can probably hack their system.
They are also using smartphone secure system, so government agency can get access to this with a backdoor if they really want.
I am waiting for some gov agent to claim $150k

[satscraper]

From what I understand they are using biometrics (probably fingerprint) so if you have that you can probably hack their system.

Correct, the  provision of cryptographic  keys in  those HSM is commonly rested on  biometrics like fingerprint and/or  palmprint, and/or facial data.




The challenge to get those $150K is limited in time; only one day left to hack the account. Why did  they limit this? Is Braavos team afraid of losing their fingers?

[nc50lc]

The challenge to get those $150K is limited in time; only one day left to hack the account. Why did  they limit this? Is Braavos team afraid of losing their fingers?

I briefly look into their features page and it seems like the default delay to remove the Hardware Signer from the wallet by using the seed phrase is 4 days.
So maybe, they do not want to risk even the faintest chance of losing the reward by setting a limit earlier than that delay.

[taufik123]

Thank you friends for their enthusiasm, and from the various explanations I got about the Braavos Wallet this made me know more about how their system works.
Such as the HSM implementation embedded in the Braavos Wallet System and some simple explanations about the 2FA mechanism.

This does seem to be marketing only, and they don't really want to give the gift, unless someone can do the hacking directly.

Marketing like this may be used by other crypto wallet companies with larger prize amounts.
Will this provoke an actual hack?
because every system will not be perfect and there will definitely be loopholes.