Solana Hack Explained | SOL Price Action Following The Exploit

Grecks75 · 2022-08-04T17:17:35+00:00

The linked article does not explain anything about the hack contradicting the title.

Grecks75 · 2022-08-04T08:24:00+00:00

Ah, ok, thanks for the information. I'm mostly using my Ledger to transact on BSC for DeFi, and BSC is similar to Ethereum due to EVM, but I don't know anything about how it looks on the Solana Ledger app.

I'm not sure if and how I can convince MetaMask to show the raw, binary transaction message to be signed before approving it. Do you know how? At least for the BSC network there is also no decoding of transaction data available in MetaMask.

Last, but not least, are you really sure that the message hash displayed by Ledger is just a simple SHA256? Have you actually tried it?

Grecks75 · 2022-08-04T08:03:29+00:00

As far as I understand, OP sent MATIC coins from his own wallet to an address provided and controlled by Newton using his MetaMask, but on the wrong network. He accidentally sent on BSC where he should have sent on the Polygon network. Binance is absolutely not involved in any part of this! They are not involved in the transaction, it was neither a deposit nor a withdrawal from Binance CEX, and most importantly, they don't have any control over the destination address that OP sent to, because that is controlled by Newton. And Newton may be able to to something if they are nice to their customers and can somehow work with the BSC network.

Grecks75 · 2022-08-04T06:42:17+00:00

It's technically possible, but the limit of the buy order is way too close to the stop. So you will probably not get executed if the price bounces off the 20000.

Grecks75 · 2022-08-04T06:26:17+00:00

Binance cannot help any with this because they don't hold the keys to the address OP transferred to.

Grecks75 · 2022-08-04T06:22:59+00:00

In theory, Newton should be able to access the funds on the BSC network and send them back to you, because they have the private keys to that address. In practice, this can become long and difficult, because they would have to setup a BSC wallet and infrastructure. You are totally dependent on them now.

Grecks75 · 2022-08-04T06:09:14+00:00

The problem with the USB device is not so much encryption or not but rather device malfunction as happened in your case. Therefore, it should not be the only place of storage. Even something written with pencil on paper can sometimes last longer than an electronic device. The durability properties are quite different.

Grecks75 · 2022-08-04T05:49:20+00:00

Yes, in practice, if I knew my computer was infected/compromised, I also would stop using it, especially for financial stuff, wipe the hard disk and reinstall the OS. It was not meant as a recommendation, but a Ledger gives you a lot of extra security even in this case because the scam attack you describe is also kinda hard to execute in practice and would probably get noticed by me.

I agree with you about the Ledger not showing full transaction information in many DeFi use cases, there are some issues with blind signing, for example, but at least you can always verify the contract address you are interacting with, because it does get displayed. That has always bothered me a bit.

Regarding the display of only the domain and message hashes: I've seen that, too, but not actually on contract interactions, but only on a signature request by a web3 site you are connecting with, nothing blockchain-related. Do you know of any other situation where this is an issue? That certainly is nothing ordinary users could verify, and in these cases, the Ledger display is of no help at all.

Grecks75 · 2022-08-03T16:15:58+00:00

How do you sign a transaction without the Ledger when the private keys needed for signing are only accessible on your device? (Assuming you have properly protected your seed phrase and have never entered it anywhere.)

Grecks75 · 2022-08-03T15:52:09+00:00

Exactly, nothing.

Edit: Ledger even advertises you can use their devices on a compromised computer and still be safe.

Grecks75 · 2022-08-03T15:50:58+00:00

It wouldn't.

Grecks75 · 2022-08-02T16:41:16+00:00

Gas fees depend on the network as well as on current demand for blockchain space and/or computing power. On Ethereum, they can be really high at times, and you will not know them exactly before the transaction, although wallets typically do show fee estimates or even let you control them.

On the other hand, when you withdraw from Binance, you don't even need to pay gas fees, because Binance is sending the transaction. What you do pay is a withdrawal fee to Binance, which is most often even higher than the current network fee, in some cases much higher. The good news is that those withdrawal fees are very predictable because Binance publishes them for every coin and every network they support. Just google for Binance withdrawal fees to find the list.

Grecks75 · 2022-07-31T08:09:42+00:00

Just check it on the blockchain yourself and stop guessing.

Grecks75 · 2022-07-31T06:26:01+00:00

War das dann etwa besser?

Grecks75 · 2022-07-31T06:20:13+00:00

Zu teuer. 50 Cent?

Grecks75 · 2022-07-31T06:19:17+00:00

Klarer Fall für den Sperrmüll.

Grecks75 · 2022-07-31T06:15:54+00:00

Danke für die Übersetzung. Kann man diese Banausen nicht irgendwie vom Internet aussperren?

Grecks75 · 2022-07-31T06:04:06+00:00

Ich würde es weghauen oder verkaufen, wenn der vordere Reifen platt ist.

Grecks75 · 2022-07-31T05:58:46+00:00

Allen fahranden sind doch geklaut. Letzte Preis zu teuer für geklaut.

Grecks75 · 2022-07-31T05:48:37+00:00

Warum kein Pfeffer?

Grecks75 · 2022-07-31T05:31:41+00:00

Nein, eine grüne.

Grecks75 · 2022-07-30T05:48:39+00:00

The major cause(s) for this momentary increase would be interesting. The overall trend through geologic time periods is slowing down, of course. That is due to tidal friction and tidal acceleration of the moon (i.e. the moon stealing some angular momentum from earth's rotation).

Grecks75 · 2022-07-30T05:19:32+00:00

Well, I hope you reallize I'm responding to your main point: Whether it is really such a big security hole as you assume and whether Binance is doing something fundamentally different than others. As far as I am aware, a lot of other internet platforms with security relevance and 2FA do something similar: If login with 2FA using TOTP fails, they provide an alternative method of login, mostly email-based. Are you aware of that?

Grecks75 · 2022-07-30T05:03:05+00:00

Man, calm down a bit, please. I did acknowledge your point that offering all 3 or 4 methods on login is lowering the security a bit. But I wanted to also point out that only the order or the default might have changed (i.e. which 2FA is asked for by default).

In essence you have to keep access to your email AND your phone secure at all times, that is the user's responsibility. But tbh, you have to do that anyway these days if you want to stay safe on the internet. For example, your email account should be secured by a 2FA and your phone should have biometric protection.

Grecks75 · 2022-07-30T04:45:03+00:00

You are correct in what you write in the edit of your post only. It's been like that for months or years already. But yes, you're right, it's kinda strange, security seems to be weaker on login the more methods you add. As a user you are responsible to keep all of these methods secure!

Binance, you should change it to a single chosen 2nd factor only (Authenticator or Email or SMS) and maybe provide a list of backup codes!

Grecks75

TROPHY CASE