The case for enterprise-grade custody solutions
Opinion by: Vikash Singh, Principal Investor at Stillmark
The Bybit hack resulted in the largest loss of funds to cyber hackers by a cryptocurrency exchange in history. It served as a wake-up call for those complacent about the state of security threats in the digital assets space. Everyone must learn the lesson from this heist — enterprise-grade custody solutions require tech to be accompanied by transparency.
Unlike many previous incidents, this loss of funds was not due to a faulty smart contract, lost/mismanaged keys or deliberate mismanagement or rehypothecation of user funds, but rather a sophisticated social engineering attack that exploited vulnerabilities in operational security.
This hack differs from earlier eras because it happened to a major global exchange that takes security and compliance seriously. It’s a reminder that, in crypto, there’s no such thing as “good enough” security.
The anatomy of a heist
A technical overview of the Bybit attack is key for understanding how companies can proactively strengthen their security against such attacks. Initially, a developer machine belonging to Safe, an asset management platform offering multisig Ethereum wallets used by Bybit, was compromised. This initial breach granted the attackers unauthorized access to Safe’s Amazon Web Services (AWS) environment, including its S3 storage bucket.
The attackers then pushed a malicious JavaScript file into this bucket, which was subsequently distributed to users via access to the Safe UI. The JS code manipulated the transaction content displayed to the user during the signing process, effectively tricking them into authorizing transfers to the attackers’ wallets while believing they were confirming legitimate transactions.
Recent: CertiK exec explains how to keep crypto safe after Bybit hack
This highlights how even highly robust security at the technical level, like multisig, can be vulnerable if not implemented correctly. They can lull users into a false sense of security that can be fatal.
Layered security
While multisignature security setups have long been considered the gold standard in digital asset security, the Bybit hack underscores the need for further analysis and transparency on the implementation of these systems, including the layers of security that exist to mitigate attacks that exploit operational security and the human layer in addition to verification of the smart contracts themselves.
A robust security framework for safeguarding digital assets should prioritize multi-layered verification and restrict the scope of potential interactions. Such a framework demonstrably enhances protection against attacks.
A well-designed system implements a thorough verification process for all transactions. For example, a triple-check verification system involves the mobile application verifying the server’s data, the server checking the mobile application’s data, and the hardware wallet verifying the server’s data. If any of these checks fail, the transaction will not be signed. This multi-layered approach contrasts with systems that directly interface with onchain contracts, potentially lacking critical server-side checks. These checks are essential for fault tolerance, especially if the user’s interface is compromised.
A secure framework should limit the scope of possible interactions with digital asset vaults. Restricting actions to a minimal set, like sending, receiving and managing signers, reduces potential attack vectors associated with complex smart contract modifications.
Using a dedicated mobile application for sensitive operations, like transaction creation and display, adds another security layer. Mobile platforms often offer better resistance to compromise and spoofing compared to browser-based wallets or multisig interfaces. This reliance on a dedicated application enhances the overall security posture.
Transparency upgrades
To bolster transparency, businesses can leverage the capabilities of proof-of-reserve software. These can defend multisignature custody setups from UI-targeted attacks by providing an independent, self-auditable view of chain state/ownership and verifying that the correct set of keys is available to spend funds in a given address/contract (akin to a health check).
As institutional adoption of Bitcoin (BTC) and digital assets continues, custody providers must transparently communicate such details on the security models of their systems in addition to the design decisions behind them: This is the true “gold standard” of crypto security.
Transparency should extend to how the nature of the underlying protocols alters the attack surface of custody setups, including multisignature wallets. Bitcoin has prioritized human-verifiable transfers where signers confirm destination addresses directly rather than confirm engagement in complex smart contracts, which require additional steps/dependencies to reveal the flow of funds.
In the case of the Bybit hack, this would enable the human signer to detect more easily that the address shown by the hardware wallet did not match the spoofed UI.
While expressive smart contracts expand the application design space, they increase the attack surface and make formal security audits more challenging. Bitcoin’s well-established multisignature standards, including a native multisig opcode, create additional security barriers against such attacks. The Bitcoin protocol has historically favored simplicity in its design, which reduces the attack surface not just at the smart contracting layer but also at the UX/human layer, including hardware wallet users.
Increasing regulatory acceptance shows how far Bitcoin has come since its early era of widespread hacks and frauds, but Bybit shows we must never let our guard slip. Bitcoin represents financial freedom — and the price of liberty is eternal vigilance.
Opinion by: Vikash Singh, Principal Investor at Stillmark.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
South Korea’s National Tax Service warned that cold wallets are not beyond its reach, as it will conduct home searches to combat tax evasion.
The World Transformed, a left-wing political festival, has historically ran alongside the Labour Party Conference as an unofficial fringe event.
But a lot has changed since it began in 2016, organised then by the Corbyn-backed group Momentum. And like the former Labour leader himself, TWT has gone independent.
From Thursday to Sunday, a programme of politics, arts and cultural events will be held in Manchester, a week after Labour’s annual party gathering ended.
“It no longer made any sense to be a fringe festival of the Labour conference,” Hope Worsdale, an organiser since 2018, tells Sky News. “We need a space for the independent left to come together.”
This decision was made before the formation of Your Party in July and the surge of support behind the Greens and its new leader Zack Polanski, but both these factors have given TWT some extra momentum. Organisers say it is not just a festival, but a “statement of intent from the British left” – and a left that looks different from how it used to.
Previous headline speakers were Labour MPs in the left-wing Socialist Campaign Group, and in 2021, the showstopper was American democrat Bernie Sanders calling in live for an event alongside John McDonnell.
The World Transformed, previously headlined left-wing Labour MPs
Bernie Sanders and John McDonnell in conversation at TWT in 2021
This year, Mr Polanski, Jeremy Corbyn and Zarah Sultana are the only British politicians due to speak at events – though Brian Leishman, who lost the Labour whip in the summer, is also scheduled on a panel.
TWT was put on pause last year for organisers to reflect upon its role going forward, after Sir Keir Starmer’s election victory.
In 2021, 2022 and 2023, while he was leader of the opposition, the festival was able to “co-exist” with Labour as a space for activists on the left to discuss ideas.
But the prime minister’s “shift to the right” has alienated so many of those grassroots members that it was felt TWT’s core audience would no longer be at Labour Party conferences, says Hope, who joined Labour in the Corbyn years and has since left.
TWT in 2016. Pic: TWT
Event at TWT in 2023
“Our official position isn’t that Labour is dead and no one should engage with it,” she says.
“But they have shifted the values of Labour so radically since the last election, broken promise after promise, attacked civil liberties… there’s been such a suite of terrible decisions that mean people who are generally progressive and generally left wing feel like they have to take their organising elsewhere.”
So what’s on the cards?
There will be 120 events held in Hulme, Manchester, from Thursday to Sunday evening.
At the heart of the programme is daily assemblies, which organisers say are “designed to hold genuinely constructive debates about what we should do and how we should do it”.
But there’s just as much partying as there is politics – Dele Sosimi and his Afrobeat Orchestra are headlining the Saturday night slot while a “mystery guest” will host what TWT calls its “infamous” pub quiz on Friday night.
Back in 2018 that was Ed Miliband’s job, when 10,000 activists were expected to attend TWT. This year, organisers anticipate around 3,000 people will gather, but those involved insist this is a real chance for the left to strategise and co-ordinate, given the involvement of over 75 grassroots groups, trade unions, and activist networks.
Collaboration ‘vital’
A key question the left will need to address is how it can avoid splitting the vote given the rise of the Greens, socialist independents and the formation of Your Party,
One activist from the We Deserve Better organisation, which is campaigning for a left-wing electoral alliance and will be at TWT this weekend, acknowledged collaboration is “vital” if the left is to make gains under Britain’s first-past-the-post system.
Jeremy Corbyn at TWT. Pic: Reuters
But it remains to be seen whether Your Party co-leaders Mr Corbyn and Ms Sultana can even work together following their public spat last month, let alone with other parties. The pair put on a united front at a rally in Liverpool on the eve of TWT, when Sultana said she was “truly sorry” and promised “no more of that”. But will the truce last?
“It’s not ideal”, says the activist. “Hopefully they are back on track…a lot of collaboration is happening at the grassroots and we need to make sure it’s formalised so we can beat Labour and the right, we need to put on united front.”
They point to seats like Ilford North, where Health Secretary Wes Streeting clung on by a margin of just 528 votes in the general election, after a challenge from British-Palestinian candidate Leanne Mohamad, who ran in protest against Labour’s stance on Gaza.
Meanwhile, in Hackney, the Greens are hoping to gain their first directly elected mayor next May, with the Hackney Independent Socialist Group of councillors throwing their weight behind the party’s candidate, Zoe Garbett.
The We Deserve Better activist says Labour’s “hostile war on the left” has made these areas ripe for the taking, and what is more important than party affiliation is galvanising momentum behind one candidate who shares socialist values on issues like public ownership and immigration – be they the Greens, independents, or Your Party.
“The World Transformed reflects a general reorientation of the left outside of Labour. If they are taking these places for granted, we are going to win. If we unite as the left then we can win even bigger. Bring it on.”
Is Labour in danger?
There is some cause for Labour to be worried. It is haemorrhaging votes to both the right and the left after a tumultuous first year in office (13% to Reform UK, 10% to the Greens and 10% to the Lib Dems, according to an Ipsos poll in September).
Many Labour MPs feel the prime minister has spent too much energy trying to “out Reform Reform” with a focus on immigration, and he needs to do more to win back moderate and progressive voters that will be gathering at TWT this weekend.
Please use Chrome browser for a more accessible video player
Starmer’s ‘anti-Reform party’ gamble
One fed-up MP told Sky News it was a shame TWT had decided to branch away from Labour, but not a surprise.
“This was something that was on the cards for a while, a parting of the ways, it’s another thing to show what’s happening with the direction of the party.”
He said in previous years the festival “was full of people for the first time in their life who were excited about politics and had a leadership looking at how it could challenge the biggest issues in our country”.
“Debates could be heated but it was always a place for intellectual discussion and that inside the Labour Party is now dead.”
But he said the party ultimately had bigger things to worry about than TWT, with a budget round the corner and potentially catastrophic local elections in May.
“I don’t think it will keep Keir Starmer or Morgan McSweeney up at night.”
The Irish Communications Interception and Lawful Access Bill is still in development, with drafting yet to occur, but the Global Encryption Coalition wants it scrapped now.
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports2 years agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports3 years agoButton battles heat exhaustion in NASCAR debut
-
Sports3 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment1 year agoHere are the best electric bikes you can buy at every price level in October 2024