Leo of the Brothership
20.5K posts

Leo of the Brothership
@BrothershipPool
Founder @LNLLabs , CTO @genwealth_app , Dev @keyPactWallet , Voting Member of TSC @IntersectMBO drep1ytw5tvdxpe39l9gm3g49gl0whwd2dgu4mcf5ml5z3zfuk3s8npegv

Wonderful start to RealFi's testnet.




Hardware wallets are, for the most part, one of the biggest psyops of this entire industry, and widely recognized as bad opsec by security researchers. The mailing and order lists for hardware wallets are some of the most repeatedly hacked and leaked datasets, appearing on blackhat forms year after year. Mailing addresses, names, emails, all of which are perfectly filtered for known value targets. A $300 laptop with no internet hardware is significantly less likely to get you wrench attacked, or get your root keys rugged by an HW wallet backdoor. Also, for the vast majority of users, a hardware wallet won’t save you if your web-wallet is compromised. You would have to review the entire transaction on the 1 by 1 inch hw wallet screen, where most people look at the wallet summary. You’d have to double check every script hash, every destination address of every transaction you sign. In-practice, the number of people who do this approaches zero.


Yes, yes, yes, and fking yes. This here, as described by @phil_uplc, is one of the most reliable and safest method, and I strongly recommend you guys use it for everything Cardano-related. Here is a nice tutorial to start with: developers.cardano.org/docs/operators…


After the signing bug exposed users' keys, attackers drained wallets. Then SecondFi swept the rest itself into a custodian and called it a rescue. We have seen exit scams, exchange seizures, protocols clawing funds back. A self custody wallet provider moving live customer funds with the users' own leaked keys, framed as protection, is a new shape. First time at this scale, to my knowledge. The hard part now is refunding. Once a key can be rebuilt from a public signature, the key identifies no one: owner, attacker, and chain scraper all hold it. So "sign to prove ownership" is dead here. A scammer signs as well as the victim. And some users may have self drained to a fresh wallet, then queued for a refund anyway. The one secret that survived is the seed. Derivation is one way: the leak exposed a derived key, not the 24 words, and you cannot climb back to them. Only the real owner knows the seed. So prove the seed, not the key, in zero knowledge. The user proves "I know a seed that derives to this address" without revealing it: the circuit recomputes mnemonic to seed to keys to address, and outputs a proof the verifier checks in milliseconds. The seed never leaves the device. A scammer with only the key cannot produce it. One honest limit: this proves ownership, not loss. A self drainer passes too. So refunds still need on chain accounting, what actually left each address, netted against what the owner already recovered. Proof plus accounting. Cryptography or human judgment. Human judgment is slow, gameable, and exactly the trust you tried to remove. The bug turned every signature into a key disclosure. The fix should turn every claim into a proof. Stay safe.




The "do nothing" strategy strongly recommended by SecondFi is entering its second stage of screwing up people. The truth is, now it's been so long that trying to run for the exit is indeed very dangerous compared to a few days ago. If you have assets staked/etc in an exposed wallet, the odds of getting them stolen are really high regardless of whether you wait or if you try to withdraw them. The best shot at getting such assets out is chained transactions (the withdrawal and the send tx sent one after another very quickly, to hopefully get both included in the same block).



If you support a wealth tax you are a lazy pussy.











🚨SecondFi: more than $20M stolen, or taken hostage - When the nonce is predictable, the key is public. Last Tuesday, SecondFi wallets were drained at scale. Users were doing nothing exotic, just signing transactions like any other day. Then the funds were gone. ▶️What happened. Two waves. First, external attackers drained wallets: ~16M ADA plus NFTs, around $2.5M. Then a much larger move: ~129M ADA, around $20M, swept by SecondFi itself to a third party custodian, "to keep it safe." Users were robbed by attackers, and users were swept by the platform!! ▶️The bug. Every signature scheme in this family uses a per signature secret number, the nonce. The one rule: it must be secret and unpredictable. EdDSA (Ed25519, what Cardano uses) makes it deterministic on purpose, derived from the private key and the message together. Deterministic, but secret. The secret input is the whole point. SecondFi's implementation derived it from public data alone. The nonce stopped being secret. Public in, public out. ▶️Why it is fatal. Call it what it is: worse than nonce reuse. Reuse needs two signatures from the same key to recover it. Here the nonce can be recomputed by anyone from data already on chain, so a single signature is enough to reconstruct the private key. Every transaction a user ever signed is a public disclosure of their key. I pulled signatures off chain and rebuilt the keys to confirm. One signature, every time. The chain was not attacked. It was read. ▶️The "rescue." The second wave was the platform sweeping ~129M ADA to a custodian, framed as protection. The fix for "your keys are cryptographically exposed" was "trust us to give it back." A cryptographic failure patched with a social promise. "We will return the funds" is not "we are cryptographically incapable of keeping them." The incident did not create that gap. It made it visible. ▶️The ownership trap. Once a key is publicly reconstructible, holding it proves nothing. Attacker, custodian, original user: three parties, same cryptographic claim. So how does a real owner prove it? The elegant exit is a zero knowledge proof of knowledge of the 24 words, the seed, without revealing it. Knowledge of the mnemonic is the one thing a chain scraper does not have. Prove the preimage, not the key. ▶️ How did it get in? Honest mistake, or planted? Dropping a single secret input from the nonce is a tiny change. Exactly what a tired engineer ships, and exactly what a supply chain or insider attacker plants, because it is deniable and pays out silently to whoever reads the chain. I do not know which one this was. The commit history will tell. Cryptography does not care about good intentions. It enforces what you built. SecondFi built a scheme where the nonce was predictable, so the keys were public, so the funds were anyone's. The rest is just who read the chain first. Stay safe. -- (obv, Ledger users are not affected. Nonce and signatures are computed inside the secure element)





Update x.com/i/broadcasts/1…


The attack was not "highly sophisticated" and knowing now how it happened, it would have always been safe to restore your seed phrase into a competently developed wallet and transfer your own funds to a newly generated seed phrase. The move to secure funds already at risk was probably the right move as much as it sucks for those affected to now be left in limbo wondering how or when they'll get their assets back. There is no "vulnerability" in Cardano address standards or seed generation methods or transaction signing methods when they are implemented properly.





