this post was submitted on 02 Nov 2023
53 points (96.5% liked)

Monero

1667 readers
15 users here now

This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.

GitHub

StackExchange

Twitter

Wallets

Desktop (CLI, GUI)

Desktop (Feather)

Mac & Linux (Cake Wallet)

Web (MyMonero)

Android (Monerujo)

Android (MyMonero)

Android (Cake Wallet) / (Monero.com)

Android (Stack Wallet)

iOS (MyMonero)

iOS (Cake Wallet) / (Monero.com)

iOS (Stack Wallet)

iOS (Edge Wallet)

Instance tags for discoverability:

Monero, XMR, crypto, cryptocurrency

founded 1 year ago
MODERATORS
 

Timeline of events

In the last Monero General Fund transparency report in March 2023, the General Fund held 8452 XMR. As far as we know, this separate wallet is safe and unaffected. It would be possible to pay people with active CCS proposal from the General Fund, but nothing has been decided.

all 30 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (3 children)

Seems like a good time to start using a multi-signature wallet going forward.

The developer who got arrested, that should have tainted any keys they were holding, you don't know who had access to the devices while in police custody

This is a very expensive learning opportunity.

It is interesting that it took nine transactions to empty the CCS wallet. Is that indicative of somebody new to monero?

[–] [email protected] 7 points 1 year ago

It is interesting that it took nine transactions to empty the CCS wallet. Is that indicative of somebody new to monero?

No.

A donation wallet has lots of individual transaction outputs that need to be consolidated if you move the entire balance. A transaction that has a lot of inputs that consolidates these transactions will be large in kilobytes. Unless network transaction volume is high enough to push up the dynamic block size rules, the maximum block size is about 300 kilobytes. Transactions must fit inside a single block, so there is a limit to the number of inputs in a single transaction. Plus, you don't want to create a transaction the full 300 kilobytes in size since miners' block creation rules might not mine a transaction that large. The first theft transaction in the list was about 22 kilobytes with 33 inputs:

https://xmrchain.net/search?value=ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a

The next was 99 kilobytes with 146 inputs:

https://xmrchain.net/search?value=08487d5dbf53dfb60008f6783d2784bc4c3b33e1a7db43356a0f61fb27ab90cc

Etc.

The full list: ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a 08487d5dbf53dfb60008f6783d2784bc4c3b33e1a7db43356a0f61fb27ab90cc 4b73bd9731f6e188c6fcebed91cc1eb25d2a96d183037c3e4b46e83dbf1868a9 8a5ed5483b5746bd0fa0bc4b7c4605dda1a3643e8bb9144c3f37eb13d46c1441 56dd063f42775600adf03ae1e7d7376813d9640c65f08916e3802dbfee489e2c e2ab762927637fe0255246f8795a02bd7bb99f905ae7afc21284e6ff9e7f73db 9bf312ed09da1e7dfce281a76ae2fc5b7b9edc35d31c9eb46b21d38500716b6b 837de977651136c18b0018269626be7155d477cc731c5ca907608a2db57ff6a8 9c278d1496788aee6c7f26556a3f6f2cbb7e109cd20400e0b2381f6c2d4e29f4

[–] [email protected] 4 points 1 year ago

Multi signature wallets with at the very least prevent us from suspecting the keyholders being individually liable. Which is a possibility

[–] [email protected] 2 points 1 year ago

It is interesting that it took nine transactions to empty the CCS wallet. Is that indicative of somebody new to monero?

Not sure but perhaps they weren’t able to send it in one go for technical reasons (like byte size limit), as inputs would have been too many (a lot of relatively small coins, originally received from many supporters)?

Firstly relatively small 23527 B. They did a small “test”? https://localmonero.co/blocks/search/ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a

Then bigger like 101 KB https://localmonero.co/blocks/search/08487d5dbf53dfb60008f6783d2784bc4c3b33e1a7db43356a0f61fb27ab90cc https://localmonero.co/blocks/search/4b73bd9731f6e188c6fcebed91cc1eb25d2a96d183037c3e4b46e83dbf1868a9 https://localmonero.co/blocks/search/8a5ed5483b5746bd0fa0bc4b7c4605dda1a3643e8bb9144c3f37eb13d46c1441 etc.

[–] [email protected] 8 points 1 year ago

Something is seriously wrong. There's a reason decentralisation is important. Anonymity or not, you never put all your eggs (digital or physical) in one basket for precisely this sort of reason. Once the wallet size reached a certain threshold (say 100 or 500 XMR), a new wallet should have been created for subsequent funds and the previous wallet should be in a hardware or paper wallet with a different trusted person ideally multisig. If funds were stolen via hack or the police forces the wallet holder to give up the keys, only a fifth (for a 500 XMR wallet) or a twenty fifth (for a 100 XMR wallet) of the amount would have been lost. If multisig is buggy, it need be ready for Seraphis. If it's just a matter of UI, then it needs to made usable and widely adopted. Remember, one of the key advantages of Monero is that it make privacy easier. You can try use Bitcoin and go through a lot of hoops to get privacy and forever stay vigilant, or just use Monero. Multisig and managing multiple accounts should be at most as difficult as Bitcoin.

[–] [email protected] 8 points 1 year ago (1 children)

FUUUUCK! will be very interested to see what is found that caused the breach.

[–] [email protected] 3 points 1 year ago (1 children)

@shortwavesurfer @Rucknium

Seconded.

With only 2 known keyholders and likely 1 single person with physical access to the Qubes laptop, and where the whole key and wallet were probably stored in a standalone offline vault-vm, what the fuck happened?

[–] [email protected] 4 points 1 year ago (2 children)

@shortwavesurfer @Rucknium

I see. They held the hot wallet on Windows fucking 10.

Unbelievable. Opsec? What's Opsec?

[–] [email protected] 2 points 1 year ago

@shortwavesurfer @Rucknium

As pointed out in the github thread by someone, the more useful opsec flow should have gone something like this.

And make the offline computer an offline vault-vm on a non-internet Qubes laptop .

[–] [email protected] 2 points 1 year ago (1 children)

How anyone that understands crypto is using windows in the year 2023 is beyond me. You cannot fix laziness with FOSS.

[–] [email protected] 1 points 1 year ago

@tusker

It's worse than that.

Fiscal responsibility alone dictates that you have a duty to create a public Opsec Charter of sorts.

And that's nothing to say of an ideological-FOSS duty to create the same.

This reeks of more than incompetence.

[–] [email protected] 5 points 1 year ago (2 children)

Is multisig such far from being practical yet? Does that also mean Bisq-like platform (Haveno) is still far from being practical?

A Monero user tends to proudly think that Monero is good, rather philosophical, being actually used for good reasons, and community-based… but it’s been hacked… I guess people will laugh now. Everyone can draw a lesson from this, though…

@[email protected] While “Windows 10” is obviously alarming, this doesn’t seem as simple like that, like pointed out in the linked thread. Maybe password-based (not key file) SSH was the problem? Btw that “someone” is hinto-janai, the person providing gupax among other things!

[–] [email protected] 4 points 1 year ago (1 children)

Is multisig such far from being practical yet?

It is not. See this comment of mine on reddit and fluffypony's answer: https://old.reddit.com/r/Monero/comments/17m6w9e/psa_ccs_wallet_incident/k7mj2he/

[–] [email protected] 2 points 1 year ago

Thank you very much. You pointed out there: "Nobody really used it, so it ended up being unstable and full of problems" and there was a reply, saying you “can't really force anybody to use something”.

I’d like to add another point of view. With reliably working multisig, we can have our own Bisq-esque DEX (at least in principle), and many people would love to use it, once it’s really available, right? For example, one might be able to sell and buy XMR in a safe and reliable way. Or eventually, though this might sound like a pipe dream but at least in theory, we might have a P2P proxy-store, where basically anyone can offer doing any shopping they can do for you. Just like on Bisq, both send securities first to discourage any cheats. When the seller ships whatever you’re buying, they “confirm” (or sign). When you receives it and everything is fine, you confirm too. Then, and only then, your security will be back and the seller will receive the locked xmr you initially deposit, and everyone will be happy. Multisig seems necessary (if not sufficient) for this to work.

we had become complacent because everything had "worked just fine" for so long.

This comment of fluffyponyza is also understandable. Generally, a programmer doesn’t want to change things when it’s working fine. “If it ain’t broke, don’t fix it.” In this case, something was (easy to) broken, though. Hindsight is 20/20.

Given that multisig is already available (just not yet well-tested), let’s stop joking like “We should keep our Monero in some other coin,” and try to think a bit more positively. At the very least it has been clearly demonstrated that Monero is so private that even core developers can’t trace it…

Troddit version links (a Tor-friendly instance) https://troddit.esmailelbob.xyz/r/Monero/comments/17m6w9e/psa_ccs_wallet_incident/k7mj2he - Onion -> http://troddit.esmail5pdn24shtvieloeedh7ehz3nrwcdivnfhfcedl7gf4kwddhkqd.onion/r/Monero/comments/17m6w9e/psa_ccs_wallet_incident/k7mj2he

[–] [email protected] 3 points 1 year ago (2 children)

Yeah. Two different people had the secret keys for the same wallet. One of them kept them in an air gapped computer. The other person kept them online in a computer accessible via SSH.

Even assuming these two trusted individuals we're not directly involved, having an always online computer with a half a million US dollars on it is a big risk.

I'm in no way trying to second guess the tragedy here. I'm just speaking for people who might have a similar problem on going in the future.

For a shared wallet, something like paperback, using Shamir's secret sharing distributed amongst trusted parties. Could be good. It would require multiple parties to conclude to unlock the key.

https://github.com/cyphar/paperback

The offline wallet signing is really cumbersome, but it is something to use when we're talking about huge amounts of money. https://monerodocs.org/cold-storage/offline-transaction-signing/

I remember reading about air gapped QR wallet signing. https://github.com/nasaWelder/lunlumo which is interesting, but I thought there was something more polished available. Anyway a program that allowed you to easily sign transactions from an air-gapped computer, could be interesting for these trust problems.

So honestly multi-signature transactions are probably the right way to go. It increases the difficulty of hacking the computers to hacking multiple computers

[–] [email protected] 4 points 1 year ago

In hindsight, maybe something very simple—using Feather on Tails, and this USB stick is only physically connected when necessary—could have prevented this from happening. Maybe.

[–] [email protected] 1 points 1 year ago (1 children)

I think anonero has something like this, but they don't have a clearnet url to link to

[–] [email protected] 5 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago (1 children)

This raises the question about the General Fund wallet. How is it secured?

[–] [email protected] 3 points 1 year ago

probably better

[–] [email protected] 3 points 1 year ago

A hard blow.

I'm thinking of Pegasus-like outliers that are out-of-scope or potentially rather governments.

Air gap may not be sufficiently safe in extreme cases.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (2 children)

It may make sense to store CSS funds in another coin that is more multisig/offline singing friendly until we have an easy to use mutisig in monero. Then convert to XMR for payouts.

If crypto experts cannot keep funds safe then the average user has no hope.

[–] [email protected] 3 points 1 year ago

DAI multisig on Ethereum, would also solve the volatility problem. Additionally it would show just how much we believe in our own coin ._.

[–] [email protected] 3 points 1 year ago (1 children)

What problems are there with Monero's multisig implementation?

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Well, they were not using multisig on a team controlled wallet with 2.6k XMR, that tells you all you need to know about the multisig implementation.

[–] [email protected] 2 points 1 year ago
[–] [email protected] -2 points 1 year ago