Deribit Hot Wallet Breached: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/deribithotwalletbreached.php}} {{Unattributed Sources}} thumb|DeriBit HomepageCryptocurrency options and futures exchange Deribit experienced a hack in which $28 million was stolen from its hot wallet. The incident occurred just before midnight UTC on November 1, 2022. Fortunately, client assets and cold storage addresses, including those of third-party custodians, remain unaf...")
 
(Another 30 minutes complete. Additional sources merged in. Prevention completed. Information moved around.)
 
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/deribithotwalletbreached.php}}
{{Case Study Under Construction}}{{Unattributed Sources}}
{{Unattributed Sources}}


[[File:Deribit.jpg|thumb|DeriBit Homepage]]Cryptocurrency options and futures exchange Deribit experienced a hack in which $28 million was stolen from its hot wallet. The incident occurred just before midnight UTC on November 1, 2022. Fortunately, client assets and cold storage addresses, including those of third-party custodians, remain unaffected by the hack. Deribit follows a protocol of keeping 99% of user funds in cold storage to minimize the impact of such events. To ensure security, Deribit has temporarily halted withdrawals, including those of third-party custodians, while they conduct ongoing security checks.
[[File:Deribit.jpg|thumb|DeriBit Homepage]]Cryptocurrency options and futures exchange Deribit experienced a hack in which $28 million was stolen from its hot wallet. The incident occurred just before midnight UTC on November 1, 2022. Fortunately, client assets and cold storage addresses, including those of third-party custodians, remain unaffected by the hack. Deribit follows a protocol of keeping 99% of user funds in cold storage to minimize the impact of such events. To ensure security, Deribit has temporarily halted withdrawals, including those of third-party custodians, while they conduct ongoing security checks.


This is a global/international case not involving a specific country.<ref name="coindesk-11744" /><ref name="cryptopotato-11745" /><ref name="cointelegraph-11746" /><ref name="deribitexchangetwitter-11747" /><ref name="etherscan-11748" /><ref name="etherscan-11749" />
This is a global/international case not involving a specific country.<ref name="coindesk-11744" /><ref name="cryptopotato-11745" /><ref name="cointelegraph-11746" /><ref name="deribitexchangetwitter-11747" /><ref name="etherscan-11748" />


== About DeriBit ==
== About DeriBit ==
"Cryptocurrency options and futures exchange Deribit has been hacked, with $28 million being drained from its hot wallet."
Deribit  is a cryptocurrency options and futures exchange.


"Deribit hot wallet compromised, but client funds are safe and loss is covered by company reserves
Our hot wallet was hacked for USD 28m earlier this evening just before midnight UTC on 1 November 2022."
"Client assets, Fireblocks or any of the cold storage addresses are not affected. It's company procedure to keep 99% of our user funds in cold storage to limit the impact of these type of events.
The hack is isolated & quarantined to our BTC, ETH and USDC hot wallets."
"We are performing ongoing security checks and have to halt withdrawals including third-party custodians Copper Clearloop and Cobo until we are confident all is safe to re-open."
"Deposits already sent will still be processed and after the required number of confirmations, they will be credited to accounts."
"We have raised the minimum number of confirmations for the moment causing a delay in crediting funds. Until we open wallets again we request you not to send new deposits."
"The insurance fund will not be impacted, the loss will be paid by company reserves. Deribit remains in a financially sound position and ongoing operations will not be impacted."
"During an appearance on CoinDesk TV on Wednesday, Deribit's chief commercial officer, Luuk Strijers, said client assets have not been affected but withdrawals have been temporarily halted as the exchange makes security checks."
""Hackers have gained access to our wallet server, which enabled them to initiate withdrawals from our hot wallet," Strijers said. "We keep 99% of our assets in cold storage and only 1% in hot wallets. The hacker gained access to these hot wallets."
"Strijers also revealed that the entirety of the loss will be covered by Deribit's balance sheet assets, which are separate from the company's $40 million insurance fund."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.
Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.


== The Reality ==
== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
Hot wallets have an especially high risk of loss.
 
* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
"Cryptocurrency options and futures exchange Deribit was hacked, with $28 million being drained from its hot wallet just before midnight UTC on 1 November 2022.
{| class="wikitable"
{| class="wikitable"
|+Key Event Timeline - Deribit Hot Wallet Breached
|+Key Event Timeline - Deribit Hot Wallet Breached
Line 65: Line 19:
!Event
!Event
!Description
!Description
|-
|November 1st, 2022 5:56:35 PM MDT
|Transfer of USDC
|Transfer of 3,394,823 USDC from the Deribit hot wallet to the exploiter<ref name=":0">[https://etherscan.io/tx/0x9ae755bfbb181cc991fc2d54ec6ab04f331042cea5d33e95476846446cf88815 Transfer of 3,394,823 USDC From Deribit to the Exploiter] (Sep 17, 2023)</ref>.
|-
|-
|November 1st, 2022 6:27:23 PM MDT
|November 1st, 2022 6:27:23 PM MDT
|Hot Wallet Compromised
|Hot Wallet Compromised
|The DeriBit ethereum hot wallet is compromised with the funds going to the attacker on the blockchain.
|The DeriBit ethereum hot wallet is compromised with the funds going to the attacker on the blockchain<ref name="etherscan-11749" />.
|-
|November 1st, 2022 7:18:47 PM MDT
|USDC Transfered
|Transfer of 3,400 USDC from the Deribit hot wallet to the exploiter<ref>[https://etherscan.io/tx/0x435e91063ea2a4f1ba9cbd991337249879061069a84af182de68558a529979e6 Transfer of 3400 USDC From Deribit To The Exploiter] (Sep 17, 2023)</ref>.
|-
|-
|November 2nd, 2022 1:03:00 AM MDT
|November 2nd, 2022 1:03:00 AM MDT
Line 80: Line 42:


== Technical Details ==
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
TBD
 
=== Ethereum Theft ===
The Ethereum theft resulted in a transfer of the entirety of 9,080.186758793618211636 ether from the Deribit hot wallet<ref name="etherscan-11749" />.
 
 
<ref>https://etherscan.io/txs?a=0x58f56615180a8eea4c462235d9e215f72484b4a3&p=13 (Sep 17, 2023)</ref>
 
Definitely Unrelated? 1000 ETH withdrawal prior - <ref>https://etherscan.io/tx/0x27d65f973ba8e73c46e5e2eed4c8b7a2a918d8bde4bab5fcc7713ca0b2269f02 (Sep 17, 2023)</ref>


== Total Amount Lost ==
== Total Amount Lost ==
There are a total of 9,080.186758793618211636 ether which were transferred from the Deribit hot wallet<ref name="etherscan-11749" />. The closing market price for ethereum on November 1st, 2022 was $1,579.70<ref>[https://coinmarketcap.com/currencies/ethereum/historical-data/ Ethereum Historical Price Data - CoinMarketCap] (Sep 17, 2023)</ref>. This creates a total value of $14,343,971.02 USD.
In addition, 3,394,823 USDC was taken<ref name=":0" />.
The total amount lost has been estimated at $28,000,000 USD.
The total amount lost has been estimated at $28,000,000 USD.


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
== Immediate Reactions ==
 
 
=== Deribits Announcements ===
"Client assets, Fireblocks or any of the cold storage addresses are not affected. It's company procedure to keep 99% of our user funds in cold storage to limit the impact of these type of events.
 
The hack is isolated & quarantined to our BTC, ETH and USDC hot wallets."
 
"We are performing ongoing security checks and have to halt withdrawals including third-party custodians Copper Clearloop and Cobo until we are confident all is safe to re-open."
 
"Deposits already sent will still be processed and after the required number of confirmations, they will be credited to accounts."
 
"We have raised the minimum number of confirmations for the moment causing a delay in crediting funds. Until we open wallets again we request you not to send new deposits."


== Immediate Reactions ==
"The insurance fund will not be impacted, the loss will be paid by company reserves. Deribit remains in a financially sound position and ongoing operations will not be impacted."
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


== Ultimate Outcome ==
== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
 
=== CEO Appearance on CoinDesk ===
"During an appearance on CoinDesk TV on Wednesday, Deribit's chief commercial officer, Luuk Strijers, said client assets have not been affected but withdrawals have been temporarily halted as the exchange makes security checks."
 
""Hackers have gained access to our wallet server, which enabled them to initiate withdrawals from our hot wallet," Strijers said. "We keep 99% of our assets in cold storage and only 1% in hot wallets. The hacker gained access to these hot wallets."
 
"Strijers also revealed that the entirety of the loss will be covered by Deribit's balance sheet assets, which are separate from the company's $40 million insurance fund."


== Total Amount Recovered ==
== Total Amount Recovered ==
The total amount recovered is unknown.
Deribit has reportedly covered all user balances. It remains to be seen whether any of the hacked funds will be recovered.
 
What funds were recovered? What funds were reimbursed for those affected users?


== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
TBD
== Individual Prevention Policies ==
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:No Individual Funds Lost}}
 
{{Prevention:Individuals:Avoid Third Party Custodians}}
 
{{Prevention:Individuals:Store Funds Offline}}


{{Prevention:Individuals:End}}
{{Prevention:Individuals:End}}


== Platform Prevention Policies ==
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
Platforms can have a greater chance of detecting security issues through validation by experts. An industry insurance fund would help ensure reliable validators and in the event a breach occurred.
 
{{Prevention:Platforms:Regular Audit Procedures}}
 
{{Prevention:Platforms:Establish Industry Insurance Fund}}


{{Prevention:Platforms:End}}
{{Prevention:Platforms:End}}


== Regulatory Prevention Policies ==
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}
Platforms can have a greater chance of detecting security issues through validation by experts. An industry insurance fund would help ensure reliable validators and in the event a breach occurred.
 
{{Prevention:Regulators:Platform Security Assessments}}
 
{{Prevention:Regulators:Establish Industry Insurance Fund}}


{{Prevention:Regulators:End}}
{{Prevention:Regulators:End}}


== References ==
== References ==
<references><ref name="coindesk-11744">[https://www.coindesk.com/business/2022/11/02/crypto-exchange-deribit-loses-28m-in-hot-wallet-hack/ Crypto Exchange Deribit Loses $28M in Hot Wallet Hack, Pauses Withdrawals] (Nov 13, 2022)</ref>
<references>
 
<ref name="coindesk-11744">[https://www.coindesk.com/business/2022/11/02/crypto-exchange-deribit-loses-28m-in-hot-wallet-hack/ Crypto Exchange Deribit Loses $28M in Hot Wallet Hack, Pauses Withdrawals] (Nov 13, 2022)</ref>
<ref name="cryptopotato-11745">[https://cryptopotato.com/deribit-hacker-has-started-moving-the-stolen-28m-to-tornado-cash/ Deribit Hacker Has Started Moving the Stolen $28M to Tornado Cash] (Sep 14, 2023)</ref>
<ref name="cryptopotato-11745">[https://cryptopotato.com/deribit-hacker-has-started-moving-the-stolen-28m-to-tornado-cash/ Deribit Hacker Has Started Moving the Stolen $28M to Tornado Cash] (Sep 14, 2023)</ref>
<ref name="cointelegraph-11746">[https://cointelegraph.com/news/deribit-hackers-move-stolen-ether-to-tornado-cash-crypto-mixer Deribit hackers move stolen Ether to Tornado Cash crypto mixer] (Sep 14, 2023)</ref>
<ref name="cointelegraph-11746">[https://cointelegraph.com/news/deribit-hackers-move-stolen-ether-to-tornado-cash-crypto-mixer Deribit hackers move stolen Ether to Tornado Cash crypto mixer] (Sep 14, 2023)</ref>
<ref name="deribitexchangetwitter-11747">[https://twitter.com/DeribitExchange/status/1587701883778523136 @DeribitExchange Twitter] (Sep 14, 2023)</ref>
<ref name="deribitexchangetwitter-11747">[https://twitter.com/DeribitExchange/status/1587701883778523136 @DeribitExchange Twitter] (Sep 14, 2023)</ref>
<ref name="etherscan-11748">[https://etherscan.io/address/0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd Deribit Hotwallet Exploiter | Address 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd | Etherscan] (Sep 14, 2023)</ref>
<ref name="etherscan-11748">[https://etherscan.io/address/0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd Deribit Hotwallet Exploiter | Address 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd | Etherscan] (Sep 14, 2023)</ref>
 
<ref name="etherscan-11749">[https://etherscan.io/tx/0xdd608c8c4e8d8529967955d89f9e71842e80c3c84d592c72054f68090a5a102c Transfer of 9,080.186758793618211636 Ether From Deribit Hot Wallet To Attacker - Etherscan] (Sep 14, 2023)</ref>
<ref name="etherscan-11749">[https://etherscan.io/tx/0xdd608c8c4e8d8529967955d89f9e71842e80c3c84d592c72054f68090a5a102c Ethereum Transaction Hash (Txhash) Details | Etherscan] (Sep 14, 2023)</ref></references>
</references>

Latest revision as of 16:09, 17 September 2023

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

DeriBit Homepage

Cryptocurrency options and futures exchange Deribit experienced a hack in which $28 million was stolen from its hot wallet. The incident occurred just before midnight UTC on November 1, 2022. Fortunately, client assets and cold storage addresses, including those of third-party custodians, remain unaffected by the hack. Deribit follows a protocol of keeping 99% of user funds in cold storage to minimize the impact of such events. To ensure security, Deribit has temporarily halted withdrawals, including those of third-party custodians, while they conduct ongoing security checks.

This is a global/international case not involving a specific country.[1][2][3][4][5]

About DeriBit

Deribit is a cryptocurrency options and futures exchange.


The Reality

Hot wallets have an especially high risk of loss.

What Happened

"Cryptocurrency options and futures exchange Deribit was hacked, with $28 million being drained from its hot wallet just before midnight UTC on 1 November 2022.

Key Event Timeline - Deribit Hot Wallet Breached
Date Event Description
November 1st, 2022 5:56:35 PM MDT Transfer of USDC Transfer of 3,394,823 USDC from the Deribit hot wallet to the exploiter[6].
November 1st, 2022 6:27:23 PM MDT Hot Wallet Compromised The DeriBit ethereum hot wallet is compromised with the funds going to the attacker on the blockchain[7].
November 1st, 2022 7:18:47 PM MDT USDC Transfered Transfer of 3,400 USDC from the Deribit hot wallet to the exploiter[8].
November 2nd, 2022 1:03:00 AM MDT DeriBit Tweet DeriBit shares a tweet to report on the hack publicly.
November 2nd, 2022 1:44:12 AM MDT CoinDesk Article Published CoinDesk publishes an article reporting on the situation.

Technical Details

TBD

Ethereum Theft

The Ethereum theft resulted in a transfer of the entirety of 9,080.186758793618211636 ether from the Deribit hot wallet[7].


[9]

Definitely Unrelated? 1000 ETH withdrawal prior - [10]

Total Amount Lost

There are a total of 9,080.186758793618211636 ether which were transferred from the Deribit hot wallet[7]. The closing market price for ethereum on November 1st, 2022 was $1,579.70[11]. This creates a total value of $14,343,971.02 USD.

In addition, 3,394,823 USDC was taken[6].

The total amount lost has been estimated at $28,000,000 USD.

Immediate Reactions

Deribits Announcements

"Client assets, Fireblocks or any of the cold storage addresses are not affected. It's company procedure to keep 99% of our user funds in cold storage to limit the impact of these type of events.

The hack is isolated & quarantined to our BTC, ETH and USDC hot wallets."

"We are performing ongoing security checks and have to halt withdrawals including third-party custodians Copper Clearloop and Cobo until we are confident all is safe to re-open."

"Deposits already sent will still be processed and after the required number of confirmations, they will be credited to accounts."

"We have raised the minimum number of confirmations for the moment causing a delay in crediting funds. Until we open wallets again we request you not to send new deposits."

"The insurance fund will not be impacted, the loss will be paid by company reserves. Deribit remains in a financially sound position and ongoing operations will not be impacted."

Ultimate Outcome

CEO Appearance on CoinDesk

"During an appearance on CoinDesk TV on Wednesday, Deribit's chief commercial officer, Luuk Strijers, said client assets have not been affected but withdrawals have been temporarily halted as the exchange makes security checks."

""Hackers have gained access to our wallet server, which enabled them to initiate withdrawals from our hot wallet," Strijers said. "We keep 99% of our assets in cold storage and only 1% in hot wallets. The hacker gained access to these hot wallets."

"Strijers also revealed that the entirety of the loss will be covered by Deribit's balance sheet assets, which are separate from the company's $40 million insurance fund."

Total Amount Recovered

Deribit has reportedly covered all user balances. It remains to be seen whether any of the hacked funds will be recovered.

Ongoing Developments

TBD

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms can have a greater chance of detecting security issues through validation by experts. An industry insurance fund would help ensure reliable validators and in the event a breach occurred.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Platforms can have a greater chance of detecting security issues through validation by experts. An industry insurance fund would help ensure reliable validators and in the event a breach occurred.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Crypto Exchange Deribit Loses $28M in Hot Wallet Hack, Pauses Withdrawals (Nov 13, 2022)
  2. Deribit Hacker Has Started Moving the Stolen $28M to Tornado Cash (Sep 14, 2023)
  3. Deribit hackers move stolen Ether to Tornado Cash crypto mixer (Sep 14, 2023)
  4. @DeribitExchange Twitter (Sep 14, 2023)
  5. Deribit Hotwallet Exploiter | Address 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd | Etherscan (Sep 14, 2023)
  6. 6.0 6.1 Transfer of 3,394,823 USDC From Deribit to the Exploiter (Sep 17, 2023)
  7. 7.0 7.1 7.2 Transfer of 9,080.186758793618211636 Ether From Deribit Hot Wallet To Attacker - Etherscan (Sep 14, 2023)
  8. Transfer of 3400 USDC From Deribit To The Exploiter (Sep 17, 2023)
  9. https://etherscan.io/txs?a=0x58f56615180a8eea4c462235d9e215f72484b4a3&p=13 (Sep 17, 2023)
  10. https://etherscan.io/tx/0x27d65f973ba8e73c46e5e2eed4c8b7a2a918d8bde4bab5fcc7713ca0b2269f02 (Sep 17, 2023)
  11. Ethereum Historical Price Data - CoinMarketCap (Sep 17, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Deribit_Hot_Wallet_Breached&oldid=5052"