Deribit Hot Wallet Breached

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:09, 17 September 2023 by Azoundria (talk | contribs) (Another 30 minutes complete. Additional sources merged in. Prevention completed. Information moved around.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

DeriBit Homepage

Cryptocurrency options and futures exchange Deribit experienced a hack in which $28 million was stolen from its hot wallet. The incident occurred just before midnight UTC on November 1, 2022. Fortunately, client assets and cold storage addresses, including those of third-party custodians, remain unaffected by the hack. Deribit follows a protocol of keeping 99% of user funds in cold storage to minimize the impact of such events. To ensure security, Deribit has temporarily halted withdrawals, including those of third-party custodians, while they conduct ongoing security checks.

This is a global/international case not involving a specific country.[1][2][3][4][5]

About DeriBit

Deribit is a cryptocurrency options and futures exchange.


The Reality

Hot wallets have an especially high risk of loss.

What Happened

"Cryptocurrency options and futures exchange Deribit was hacked, with $28 million being drained from its hot wallet just before midnight UTC on 1 November 2022.

Key Event Timeline - Deribit Hot Wallet Breached
Date Event Description
November 1st, 2022 5:56:35 PM MDT Transfer of USDC Transfer of 3,394,823 USDC from the Deribit hot wallet to the exploiter[6].
November 1st, 2022 6:27:23 PM MDT Hot Wallet Compromised The DeriBit ethereum hot wallet is compromised with the funds going to the attacker on the blockchain[7].
November 1st, 2022 7:18:47 PM MDT USDC Transfered Transfer of 3,400 USDC from the Deribit hot wallet to the exploiter[8].
November 2nd, 2022 1:03:00 AM MDT DeriBit Tweet DeriBit shares a tweet to report on the hack publicly.
November 2nd, 2022 1:44:12 AM MDT CoinDesk Article Published CoinDesk publishes an article reporting on the situation.

Technical Details

TBD

Ethereum Theft

The Ethereum theft resulted in a transfer of the entirety of 9,080.186758793618211636 ether from the Deribit hot wallet[7].


[9]

Definitely Unrelated? 1000 ETH withdrawal prior - [10]

Total Amount Lost

There are a total of 9,080.186758793618211636 ether which were transferred from the Deribit hot wallet[7]. The closing market price for ethereum on November 1st, 2022 was $1,579.70[11]. This creates a total value of $14,343,971.02 USD.

In addition, 3,394,823 USDC was taken[6].

The total amount lost has been estimated at $28,000,000 USD.

Immediate Reactions

Deribits Announcements

"Client assets, Fireblocks or any of the cold storage addresses are not affected. It's company procedure to keep 99% of our user funds in cold storage to limit the impact of these type of events.

The hack is isolated & quarantined to our BTC, ETH and USDC hot wallets."

"We are performing ongoing security checks and have to halt withdrawals including third-party custodians Copper Clearloop and Cobo until we are confident all is safe to re-open."

"Deposits already sent will still be processed and after the required number of confirmations, they will be credited to accounts."

"We have raised the minimum number of confirmations for the moment causing a delay in crediting funds. Until we open wallets again we request you not to send new deposits."

"The insurance fund will not be impacted, the loss will be paid by company reserves. Deribit remains in a financially sound position and ongoing operations will not be impacted."

Ultimate Outcome

CEO Appearance on CoinDesk

"During an appearance on CoinDesk TV on Wednesday, Deribit's chief commercial officer, Luuk Strijers, said client assets have not been affected but withdrawals have been temporarily halted as the exchange makes security checks."

""Hackers have gained access to our wallet server, which enabled them to initiate withdrawals from our hot wallet," Strijers said. "We keep 99% of our assets in cold storage and only 1% in hot wallets. The hacker gained access to these hot wallets."

"Strijers also revealed that the entirety of the loss will be covered by Deribit's balance sheet assets, which are separate from the company's $40 million insurance fund."

Total Amount Recovered

Deribit has reportedly covered all user balances. It remains to be seen whether any of the hacked funds will be recovered.

Ongoing Developments

TBD

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms can have a greater chance of detecting security issues through validation by experts. An industry insurance fund would help ensure reliable validators and in the event a breach occurred.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Platforms can have a greater chance of detecting security issues through validation by experts. An industry insurance fund would help ensure reliable validators and in the event a breach occurred.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Crypto Exchange Deribit Loses $28M in Hot Wallet Hack, Pauses Withdrawals (Nov 13, 2022)
  2. Deribit Hacker Has Started Moving the Stolen $28M to Tornado Cash (Sep 14, 2023)
  3. Deribit hackers move stolen Ether to Tornado Cash crypto mixer (Sep 14, 2023)
  4. @DeribitExchange Twitter (Sep 14, 2023)
  5. Deribit Hotwallet Exploiter | Address 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd | Etherscan (Sep 14, 2023)
  6. 6.0 6.1 Transfer of 3,394,823 USDC From Deribit to the Exploiter (Sep 17, 2023)
  7. 7.0 7.1 7.2 Transfer of 9,080.186758793618211636 Ether From Deribit Hot Wallet To Attacker - Etherscan (Sep 14, 2023)
  8. Transfer of 3400 USDC From Deribit To The Exploiter (Sep 17, 2023)
  9. https://etherscan.io/txs?a=0x58f56615180a8eea4c462235d9e215f72484b4a3&p=13 (Sep 17, 2023)
  10. https://etherscan.io/tx/0x27d65f973ba8e73c46e5e2eed4c8b7a2a918d8bde4bab5fcc7713ca0b2269f02 (Sep 17, 2023)
  11. Ethereum Historical Price Data - CoinMarketCap (Sep 17, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Deribit_Hot_Wallet_Breached&oldid=5052"