Pages:
Author

Topic: Mixin Safe: A Convenient and Decentralized Multisig + MPC + Timelock solution (Read 1963 times)

legendary
Activity: 1624
Merit: 2594
Top Crypto Casino
The CEO stated that the timelock will only expire if the vulnerabilities are found and fixed


Where did you read such statement? Honestly, all I've read is that they stated their services will be reopened "once the vulnerabilities are confirmed and fixed". That makes sense.

Lol Tell us more, it seems you know more than the rest of us - You're merely reading the lines, whereas I'm deciphering the meaning.

Keep your socks on, I'm not here to defend Mixin or anything, and I don't work for them either. I'm just sharing the info I come across. You said, "The CEO stated..." and I simply asked, "Where did you read such a statement?"

Also, you mentioned "timelock," so I assume you're referring to Mixin Safe. It's already been said multiple times in this thread - it's a different service! The Mixin Safe service has never been suspended or affected by the hack, as far as I know. If you have different information, please share.

To quote LoyceV:
I've seen several incorrect posts by now. To be clear: Mixin lost $200M, not Mixin Safe.
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
The CEO stated that the timelock will only expire if the vulnerabilities are found and fixed


Where did you read such statement? Honestly, all I've read is that they stated their services will be reopened "once the vulnerabilities are confirmed and fixed". That makes sense.

Lol Tell us more, it seems you know more than the rest of us - You're merely reading the lines, whereas I'm deciphering the meaning. They're not going to compensate anyone, and the only thing you'll probably see in your balance are some shady tokens. No way the owner compensating anyone out of his own pocket..

These days when an entity get hacked both the owners and the customers bears the loss, no fund insurance policy.
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
I don't know where Igebotz got that from, but I don't think that's true. According to media reports, during a live briefing on September 25th, Mixin's founder, Xiaodong Feng, stated that they would compensate users "up to 50%" for the stolen assets, with the remainder being distributed to users as "tokenized liability claims" that Mixin would eventually repurchase "with its future profits".

lol, "compensate" ?
I love how they always use stupid wording like this, trying to pose like they are in control, they are the ones taking the hit, and they will suffer one century in pain but will make everything up for their customers!

It's no compensation, compensation is when you take something and give something in return, this is just taking half of the money away!
Imagine how a robber would testify in court and argue that he took only one TV and the jewelry so has already compensated the victim by letting him have his fridge and socks!!!

https://twitter.com/MixinKernel/status/1709869557287178402
Quote
After statistical analysis, the affected assets in this incident were mainly ERC20-USDT, ETH, and BTC. Other assets were not affected. The specific compensation details are still under discussion. Please stay tuned for updates on the progress of this incident. In order to improve the Network and provide more secure services, after a week of rigorous evaluation, we will make the following updates to the Mixin Network:

again, lol

Quote
1. Release a new system based on Mixin Safe to enhance network security. The new system is expected to go online in 3-4 weeks. After another 2 weeks of system inspection, deposit and withdrawal functions can be opened.

deposits and withdrawals, quite optimistic, I am willing to bet on a 1000:1 ratio between the two
legendary
Activity: 994
Merit: 1089
Why would anyone use a third party to hold their keys? And this was supposed to be what exactly, an easy target for "hackers"?  By the time people realize not to trust their money with none other than banks, I'd be long gone, universe would be long gone, meaning people will continue to do this.
The bank is also a third party, and they control your money when you trust them with it, take note that banks are also involved in fractional reserve scam. Nevertheless, the banking system is a more established institution than centralized exchanges or crypto businesses like mixin network, so your money is probably safer in a bank than with such services.
Bitcoin is a currency and a bank, if you want to give your funds to third parties for whatever reason, give them to banks and if banks don't offer such services, maybe they have a good reason.
BTC is not a bank, when you use BTC you ought to be the bank yourself and hold your own keys. If you want self custody of your money, store your keys yourself, not your keys, not your coins.
copper member
Activity: 1330
Merit: 899
🖤😏
Why would anyone use a third party to hold their keys? And this was supposed to be what exactly, an easy target for "hackers"?  By the time people realize not to trust their money with none other than banks, I'd be long gone, universe would be long gone, meaning people will continue to do this.  Bitcoin is a currency and a bank, if you want to give your funds to third parties for whatever reason, give them to banks and if banks don't offer such services, maybe they have a good reason.


This will keep on happening as it has several times in the past, simply because they don't want to listen to the warnings.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim

That'll still be 10% of all user funds gone forever and really $20 million should not be the amount of bug bounty you give to someone. Even Theymos does not give out such huge amounts for bitcointalk security.

And if the hacker is an organized crime figure, it's no use pleading. It will fall on deaf ears.
I think they already sense that they won't be able to find hackers, seize money and get it back, so, instead of 100% financial loss they try to negotiate with hackers to make it 10% financial lose with the hope that hackers will get scared, return 90% of stolen money, prioritize their safety and walk away with $20 million. But I guess this is a lure and the chase of hackers will not stop after this deal (recent example: Putin and Prigozhin). So, personally I think that hackers will refund nothing, probably knew what they were doing and life will continue.
legendary
Activity: 1624
Merit: 2594
Top Crypto Casino
The CEO stated that the timelock will only expire if the vulnerabilities are found and fixed


Where did you read such statement? Honestly, all I've read is that they stated their services will be reopened "once the vulnerabilities are confirmed and fixed". That makes sense.

Quote
in other words, users can only get their funds back if the hackers refund some of the money, which I doubt will happen.
In which jurisdiction is this even legal? Shouldn't they file for bankruptcy if they're insolvent, isn't that the legal way to handle this?

I don't know where Igebotz got that from, but I don't think that's true. According to media reports, during a live briefing on September 25th, Mixin's founder, Xiaodong Feng, stated that they would compensate users "up to 50%" for the stolen assets, with the remainder being distributed to users as "tokenized liability claims" that Mixin would eventually repurchase "with its future profits".
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The CEO stated that the timelock will only expire if the vulnerabilities are found and fixed
I admit I don't understand the technical details of how it works, and it was quite complicated, but my assumption was that the timelock is something that can't be changed once it's set. I assumed it was based on cryptography, but judging by your comment it's completely centralized.
That confirms what I knew already: don't trust things you don't understand Smiley It reminds me of the "ETH DAO smart contract" where the only person who understood how it works was called "the attacker".
Keep it simple, keep your own keys Smiley

Quote
in other words, users can only get their funds back if the hackers refund some of the money, which I doubt will happen.
In which jurisdiction is this even legal? Shouldn't they file for bankruptcy if they're insolvent, isn't that the legal way to handle this?
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
Nope! This is the pop up message!

"Server under maintenance "
The promise was for you to be able to recover your funds after a timelock expires, but they didn't explain how to do it. Even worse: if it's set up the way I think it is, they too would be able to have 2 out of 3 keys by the time the timelock expires.

The CEO stated that the timelock will only expire if the vulnerabilities are found and fixed - in other words, users can only get their funds back if the hackers refund some of the money, which I doubt will happen.  This will culminate in the creation of some form of debt token that will be distributed to users in order to compensate for loss.

Particia EX did precisely that when they got hacked last year.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Nope! This is the pop up message!

"Server under maintenance "
The promise was for you to be able to recover your funds after a timelock expires, but they didn't explain how to do it. Even worse: if it's set up the way I think it is, they too would be able to have 2 out of 3 keys by the time the timelock expires.
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
Until now my little Bitcoin left in my Mixin messager is still reflectiing  with no option to withdraw. I'm 100% sure what I have there is just virtual numbers.

Ps: coins left after the review.
So you can confirm that it is currently impossible to withdraw coins from this apparent "decentralized, non-custodial" Mixing Safe?

Nope! This is the pop up message!

"Server under maintenance "

It's still a wonder to me how an unknown entity can have $200 million in a hot wallet when even the largest exchanges don't have that much in a hot wallet. Wasn't the project in beta, and deposits of more over $1000 were not allowed? Well wish them the best.
legendary
Activity: 1526
Merit: 1359
Until now my little Bitcoin left in my Mixin messager is still reflectiing  with no option to withdraw. I'm 100% sure what I have there is just virtual numbers.

Ps: coins left after the review.
So you can confirm that it is currently impossible to withdraw coins from this apparent "decentralized, non-custodial" Mixing Safe?
~

Mixin Wallet is integrated into the Mixin Messenger App. Mixin Safe is a standalone service. I remember that, when I was doing the review, those two services were not connected to each other. I had to make a deposit from Mixin Messenger to Mixin Safe and then transfer the coins back.
legendary
Activity: 2268
Merit: 18748
Until now my little Bitcoin left in my Mixin messager is still reflectiing  with no option to withdraw. I'm 100% sure what I have there is just virtual numbers.

Ps: coins left after the review.
So you can confirm that it is currently impossible to withdraw coins from this apparent "decentralized, non-custodial" Mixing Safe?

So I take it they never released this tool they promised to release after I identified this big red flag?
It will also be beyond their skill set to recover their coins if your service disappears, and that's a very dangerous situation to be in. And you are not incentivized to release a tool to allow them to do so, since then they can easily bypass your pricing model.

the plan is not to let the users develop software, it's to provide another software to help them. A decentralized system allows a new software to do the job, unlike a centralized system rug.
You are essentially hoping that some unknown developer will be kind enough to develop a tool to allow users to recover their coins, for free, in their own time. That's a big assumption.
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
That'll still be 10% of all user funds gone forever and really $20 million should not be the amount of bug bounty you give to someone. Even Theymos does not give out such huge amounts for bitcointalk security.

Think the other way around.
You don't spend 20 million, you get back 180 millions, even half of it and you're still from this moment gaining 100 million to your balances!

There is one thing I'm surprised about and it's indeed strange for me I'm the only one thinking this, but isn't it a bit weird that indeed they had this huge amount of funds around? For a service that really went big in the last years and was a bit unattractive to the masses for its complexity, I'm quite amazed of the amounts stolen. We have exchanges that didn't have that much on balances in their life so and it's a different type of business altogether.

Anyhow, reading this topic now, some of those quoted aged worse than bull milk!





staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
Why wouldn't it be affected by the hack since it is custodial
Sorry, I forgot the word "non"-custodial. I've edited my post.

Quote
there is no private key or seed phrase to any "safe vault" that you create.
That's the shitty part indeed, and it's what makes it really hard to believe it's non-custodial. The user doesn't have much more than a phone number and 6 digit PIN to recover their funds, and they didn't say how you can recover it.

This is how;

"You will be asked periodically to help you remember it."

Until now my little Bitcoin left in my Mixin messager is still reflectiing  with no option to withdraw. I'm 100% sure what I have there is just virtual numbers.

Ps: coins left after the review.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Why wouldn't it be affected by the hack since it is custodial
Sorry, I forgot the word "non"-custodial. I've edited my post.

Quote
there is no private key or seed phrase to any "safe vault" that you create.
That's the shitty part indeed, and it's what makes it really hard to believe it's non-custodial. The user doesn't have much more than a phone number and 6 digit PIN to recover their funds, and they didn't say how you can recover it.
legendary
Activity: 994
Merit: 1089
The difference is that Mixin Safe is supposed to be custodial. If that's true (which I haven't been able to verify) it shouldn't be affected by the hack.
Why wouldn't it be affected by the hack since it is custodial and the Mixin network holds the keys and obviously stores them in the cloud? Mixin safe is custodial that's for sure, there is no private key or seed phrase to any "safe vault" that you create.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I've seen several incorrect posts by now. To be clear: Mixin lost $200M, not Mixin Safe.
Product is different, but company and owners are obviously the same.
The difference is that Mixin Safe is supposed to be non-custodial. If that's true (which I haven't been able to verify) it shouldn't be affected by the hack.
legendary
Activity: 1624
Merit: 2594
Top Crypto Casino
I've seen several incorrect posts by now. To be clear: Mixin lost $200M, not Mixin Safe.
Product is different, but company and owners are obviously the same.
If micr0s0ft or apple get hacked and lost all their money it will affect all of their products.

True, the company is still responsible for the hack and the loss of money. It's just that some people mistakenly associate this incident with the Mixin Safe service, which, if I'm not mistaken, is still in beta and not that widely used.

It was a good idea for some people that used temp phone numbers afterall Wink

No doubt about it. I would always use a fake phone number for things like that if I could.
legendary
Activity: 2212
Merit: 7064
It was a different service. Mixin Safe has been reviewed by users on this forum. However, from what I understand, Mixin Safe hasn't actually been hacked. On the other hand, Mixin Messenger (which includes an integrated crypto wallet) had over a million users. My hunch is that the wallet that got hacked is linked to their custodial wallet service within Mixin Messenger.
Mixin Messenger was the part of review because many people used it in combination with Mixin Safe as part of their multisig setup, including me, this was clearly mentioned in official campaign rules.
They just forked open source Signal messenger and added centralized coin storing that was connected with cloud service.
I probably still have keys somewhere but I didn't run Messenger to see if it's even working now.

I've seen several incorrect posts by now. To be clear: Mixin lost $200M, not Mixin Safe.
Product is different, but company and owners are obviously the same.
If micr0s0ft or apple get hacked and lost all their money it will affect all of their products.



- Prepare Members Wallet: Get Mixin Messenger
- Set Mixin Messenger PIN
- Add Mixin Messenger Contacts: Please ask all safe members to add each other as a contact in Mixin Messenger, including yourself.

- To active Mixin Messenger, you can use a throwaway phone number

It was a good idea for some people that used temp phone numbers afterall Wink
Pages:
Jump to: