this post was submitted on 02 Nov 2023
52 points (96.4% liked)
Monero
1662 readers
8 users here now
This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.
Wallets
Android (Cake Wallet) / (Monero.com)
iOS (Cake Wallet) / (Monero.com)
Instance tags for discoverability:
Monero, XMR, crypto, cryptocurrency
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yeah. Two different people had the secret keys for the same wallet. One of them kept them in an air gapped computer. The other person kept them online in a computer accessible via SSH.
Even assuming these two trusted individuals we're not directly involved, having an always online computer with a half a million US dollars on it is a big risk.
I'm in no way trying to second guess the tragedy here. I'm just speaking for people who might have a similar problem on going in the future.
For a shared wallet, something like paperback, using Shamir's secret sharing distributed amongst trusted parties. Could be good. It would require multiple parties to conclude to unlock the key.
https://github.com/cyphar/paperback
The offline wallet signing is really cumbersome, but it is something to use when we're talking about huge amounts of money. https://monerodocs.org/cold-storage/offline-transaction-signing/
I remember reading about air gapped QR wallet signing. https://github.com/nasaWelder/lunlumo which is interesting, but I thought there was something more polished available. Anyway a program that allowed you to easily sign transactions from an air-gapped computer, could be interesting for these trust problems.
So honestly multi-signature transactions are probably the right way to go. It increases the difficulty of hacking the computers to hacking multiple computers
In hindsight, maybe something very simple—using Feather on Tails, and this USB stick is only physically connected when necessary—could have prevented this from happening. Maybe.
I think anonero has something like this, but they don't have a clearnet url to link to