Coin minting by exploiters, the new common scam in crypto

[_act_]

From exchanges, to DeFi and Bridges. More innovatiion, happier the hackers.

We saw KelpDAO exploit, the Echo eBTC Exploit on Monade and yesterday was about the H tokens. Did you read about it yesterday? I later decided to post about it when I know a little more about how the scam happened. Very similar story again, Three of six Gnosis Safe owner keys controlling the Hyperlane bridge ProxyAdmin were compromised, also three of five BSC Safe owner keys were also compromised. Approximately $36 million stolen.

Maybe another one would have been Zec if not detected.

https://x.com/i/status/2064281691016048761

[sergiorus]

Maybe another one would have been Zec if not detected.

I think there's no way to know if it's been used so far no?

From what i've heard it would take some serious audits to know the real supply but yeah the chances someone actually spotted this vulnerability in the past are slim.

[_act_]

I think there's no way to know if it's been used so far no?

From what i've heard it would take some serious audits to know the real supply but yeah the chances someone actually spotted this vulnerability in the past are slim.

I do not know if new Zec has been minted, I only posted what I know about the vulnerability, that there has been no explanation. Researchers and Zcash developers have stated that they have not found signs of any exploitation, but I do not know if they were lies and bribery, but I do not think it can be like that.

[sergiorus]

I think there's no way to know if it's been used so far no?

From what i've heard it would take some serious audits to know the real supply but yeah the chances someone actually spotted this vulnerability in the past are slim.

I do not know if new Zec has been minted, I only posted what I know about the vulnerability, that there has been no explanation. Researchers and Zcash developers have stated that they have not found signs of any exploitation, but I do not know if they were lies and bribery, but I do not think it can be like that.

As they say "don't trust, verify".
It would take more than a statement from Zcash devs for the uncertainty around the coin to go away.
At least an audit by an independent 3rd party firm with good reputation.

[Wiwo]

It's actually $36 millions in H token, correct the typo error in the ops.

Like we have always stated that every new brige of protocol development exposes the project to potential attacks like this one, although the is never an access without insider's opening the back-doors, the three staff's laptops become the gateway to hit the H token.

One thing that is peculiar with all this attacks is, security failure - key takeover and finally wallet draining in some cases new tokens get minted but in this case there is no such reports yet.

[JeromeTash]

Approximately $36 stolen.

Only $36? 
Mate I think that's a typo

Bridges and different protocols, especially on BSC, that have not been properly audited seem to have a lot of vulnerabilities, and thanks to AI, hackers are making a killing out of them. The other day I saw a video of a guy trying to explain how hackers exploit those protocols, and there might actually be more hacks than what we see in the media.

[_act_]

It's actually $36 millions on H token, correct the typo error in the ops.

The best is to quote me next time just as JeromeTash did, but you still deserve at least 1 merit also. I got notification after JeromeTash quoted me for the correction.

Approximately $36 stolen.

Only $36? 
Mate I think that's a typo

Yes, it is a typo, I have corrected it. Thanks.

[asriloni]

Maybe another one would have been Zec if not detected.

I think there's no way to know if it's been used so far no?

From what i've heard it would take some serious audits to know the real supply but yeah the chances someone actually spotted this vulnerability in the past are slim.

ZEC developers have been doing formal verification to its bug and its impact, and they found no new ZEC minted from that bug. So they patched it, and try to ensure there will be no same problem to happen.

If there was new ZEC minted, i believe it would already dumped to the market.

[Wiwo]

It's actually $36 millions on H token, correct the typo error in the ops.

The best is to quote me next time just as JeromeTash did, but you still deserve at least 1 merit also. I got notification after JeromeTash quoted me for the correction.

Oh yeah that is the right thing to do, but I know you are going to correct that typo error regardless if I quote you or not, you always reread your post's and correct typo's that are inputed auto from device.

  anyways thanks always, latest update on the H coin exploit shown that there was no new coin minted just few hot wallets keys were gained.

[noorman0]

As they say "don't trust, verify".

One proposed network improvement is for users to be able to verify the integrity of Zcash available in Orchard pools. The proposed improvement likely hasn't been implemented yet, just an emergency network patch. Well, let's hope it can actually detect excess Zcash supply on an invisible network. Some comments have suggested scenarios where verification is difficult.

[shinratensei_]

Bigger question here: why the heck a coin or a token have minting mechanism, the case of H is odd because you can literally mint token out of thin air by getting ahold of the private key.
Isn't that simply ridiculous? is this minting mechanism needed in the first place or is it a backdoor? we should treat coin or token with minting mechanism as malicious contract for real.

[FinneysTrueVision]

I later decided to post about it when I know a little more about how the scam happened. Very similar story again, 3 out of 5 employees laptops were compromised which led to their Gnosis Safe owner keys to be compromised. Approximately $36 million stolen.

It’s not three of five laptops, but rather three of five keys held on the same laptop that were compromised and which gave the attacker total control over the protocol’s infrastructure. Another three of six multisig keys were compromised on BNB chain and 1 admin hot wallet key. In total there were seven keys backed up on the same machine.

This is just outright incompetence from the admins. They were not using hardware wallets and control over the keys wasn’t properly distributed, making the infected laptop a single point of failure.

[_act_]

It’s not three of five laptops, but rather three of five keys held on the same laptop that were compromised and which gave the attacker total control over the protocol’s infrastructure. Another three of six multisig keys were compromised on ETH chain and 1 admin hot wallet key. In total there were seven keys backed up on the same machine.

I have also edited the part and only include three of six Gnosis Safe owner keys controlling the Hyperlane bridge ProxyAdmin were compromised, also three of five BSC Safe owner keys were also compromised. If the keys are on the same laptop, but which I do not know on the X post, that means it is truly an outright incompetent.

[TastyChillySauce00]

I later decided to post about it when I know a little more about how the scam happened. Very similar story again, 3 out of 5 employees laptops were compromised which led to their Gnosis Safe owner keys to be compromised. Approximately $36 million stolen.

It’s not three of five laptops, but rather three of five keys held on the same laptop that were compromised and which gave the attacker total control over the protocol’s infrastructure. Another three of six multisig keys were compromised on BNB chain and 1 admin hot wallet key. In total there were seven keys backed up on the same machine.

This is just outright incompetence from the admins. They were not using hardware wallets and control over the keys wasn’t properly distributed, making the infected laptop a single point of failure.

Even people with 0.01 BTC in their hardware wallet never store seed phrase in a laptop and yet a project with tens of million dollar worth behind it put their three private keys behind a laptop. Honestly, I find the story from them to be strange.