Exchange hack of EOS is IMPOSSIBLE!! | Yes Impossible

in #eos6 years ago

Cool thing about $EOS is that if an exchange ever gets hacked ( @binance etc ) staked #EOS ( hopefully the majority of EOS they keep) will not be taken seeing as how it takes 72 hours to unstake coins. EOS is literally un-stealable - this is what true crypto security looks like!

Essentially another Mt Gox scenario could happen, every coin could be stolen from an exchange apart from EOS. Hackers can empty out every wallet but at the end of the day EOS will still be left in the wallet. Imagine the look EOS will have after it is deemed un-stealable.

Sort:  

If and only if exchange also has msig on owner possibly with time delay

Yep. With the time delay it's pretty impossible to steal funds..

It's certainly more difficult, but I wouldn't brand it "un-stealable". It would just require unstaking. The same is true of Steem, btw. As soon as you unstake the coins, which you have to do to sell, you become vulnerable.

With 72 hours needed of wait time - anything staked is very safe as long as you check your wallet every 2 days which I'm sure binance does.

A clever hacker knowing this limitation would lie in wait until exactly the 72 hours have expired and would not expose the fact that the account has been compromised. Then you unstake and that fact is broadcast to the blockchain where that public info is seen. Then if you are just one minute too late, you'd have to file a request to EOS911. I'd prefer that this info was hidden as it would give much greater security.

Another approach would be to change the private / public keypair just before the 72 hours are up on the unstaking. That would most likely thwart any attempts at theft.

PS - It just occurred to me that if the owner can change the keypair associated with an account, that a hacker could do the same thing with a compromised account thereby stealing the account. Then it's up to the original owner to realize the hack within 72 hours and do something similar to the account recovery process on Steemit.

I heard that Dan Larimer suggested throwing out the original constitution which has the provision that "intent is law". If "code is law" replaces it, then account recovery may be done for.

I believe you can view any coins that are in the process of unstaking. For example in my wallet, I'm in the process of unstaking and because of that I cannot use the CPU and RAM of coins that are being unstaked. I think that an exchange would notice any hacker trying to unstake a coin and would then go onto re-stake it. They could then change the private key or also ask BPs for assistance.

I don't hold crypto on exchanges, so the only recourse for someone like me would be to try EOS911. I also keep my EOS main key offline and used an airgapped machine with the Greymass tool for voting for block producers. This is probably the safest way to use your keys now. Signing transactions offline then taking the json file and copying it to the watch wallet connected to the internet avoids exposure of the private key. If you want to be extra careful, wipe your USB drive each time you do this before attaching it back to the internet connected machine. There is still a small risk that malware can ghost write to the USB, so you should check disk usage after wiping.

Not really sure how exchanges handle EOS - but I'd also imagine them doing something similar.

Congratulations @chowdog! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - The results, the winners and the prizes

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!