Upbit hot wallet hacking is technically "possible"
Upbit, one of Korea's major cryptocurrency exchanges, announced at around 6 p.m. Wednesday that roughly 58 billion won worth of ethereum was transferred from an Upbit hot wallet to an unknown wallet. The major concern is whether the ethereum that was stored in Upbit's hot wallet was hacked. Three ethereum accounts for Upbit, but only one affected To find out whether the ethereum was stolen through hacking, we need to know how Upbit has been managing its ethereum hot wallets. For ethereum, there are ethereum name services (ENS), like domain names used in internet. Upbit registered three ENS addresses: Upbit1, Upbit2 and Upbit3. The 342,000 ethereum was sent from Upbit3. The other two accounts didn't show any suspicious movements. “Upbit1 seems like a dead account, Upbit2 seems to be used for ethereum ERC20,” said Park Kyung-nam, head of GrowFi, which is leading Defi proejct. “From Upbit3, 4,789.87 ethereum was withdrawn and 36,76l.13 ethereum was deposited after 342,000 ethereum was transferred. At least on the outside, it seems like Upbit lost most of the ethereum in its hot wallet." If Upbit really lost most of the ethereum in its hot wallet, it would be right to say about 30 percent of Upbit's ethereum has been transferred. Considering Bithum was holding some 910,000 ethereum at the end of last year, it is likely for Upbit to hold a similar amount of ethereum. Of course, it is hard to know for sure whether 30 percent is the right figure without Upbit's official information. Shouldn't multisignature be safe? Multisignature (multisig) refers to requiring multiple keys to authorize a crypto transaction. This method has been thought of as a way to make hot wallets safer. Japanese cryptocurrency exchange Coincheck, which lost more coins than Mt. Gox, is known to have been hacked because it used a hot wallet without the multisig system. Upbit said it uses multisig technology by Bitgo, a large digital asset storage service company. Still, it lost 342,000 ethereum without knowing. It doesn't seem like multisig was used "We can't be sure, because we don't know which part of Bitgo's technology Upbit is using, but judging by the account used in withdrawal, it doesn't look like a multisig-applied wallet," Park said. "Generally known multisig offered by Bitgo is based on contracts." According to Park, ethereum doesn't support the multisig feature, so multisig using smart contracts are usually applied. Ethereum is operated based on an account, and this makes only one person capable of signing per transaction. The possibility of hacking exists In the end, the coins may have been hacked. However, as some information remains unknown, like whether the wallet used multisig system, various scenarios are possible. 1.If the wallet is based on multisig: Even if Upbit's hot wallet uses multisig system, there is still a possibility of hacking. Hacking is possible when the hacker took private keys of both accounts. In this case, withdrawal is possible even without getting approval for a transaction. Technically, there is a possibility Upbit would not have noticed the transaction. 2.If the wallet is based on multisig, and the hacker could not steal private keys: Even if a hacker was not able to steal the private keys for a multisig-applied wallet, hacking is still possible if the hacker succeeds in taking control of and operating a PC. It has a similar effect as stealing a private key. 3.If the wallet is not based on multisig: In this case there is larger possibility of hacking. If a hacker steals one private key of takes control of the operating PC, the hacker can transfer assets without alerting Upbit. "Approving a transaction can be done autonomously or manually. But even if the approval is given manually, the same problem occurs. If [a hacker] takes control of the operating PC or steals private key, it is hard to block hacking even if approval is given manually," Park added stressing that hacking can take place in any scenario. He also said that even the master key, which has the role of giving final approval for a transaction, can be breached in the case of hot wallets.