but if bitgo auto signs every time BFX signs.... then all you really need is BFX keys and you can move the coins.
is this infact the reality of what was going on with this "shared key model." ? idk.. idk shit...
is this infact the reality of what was going on with this "shared key model." ? idk.. idk shit...
From everything I've read, that seems to be the case Adam. BitGo and BitFinex are both very keen to point out that none of the blame lies with BitGo. Finex apparently had a custom setup with BitGo, unlike any other BitGo customer.
Either BitGo simply signed everything requested by Finex, or the hackers were able to bypass/avoid any kind of security precautions that BitGo had in place.
In either case, it looks to me like BitGo is shit when it comes to security, which is supposed to be their job. They provided Finex with a system that had no security or their system was easily bypassed. Fail or fail.
Perhaps there is something else going on and I haven't read about it or it isn't public knowledge?
So far sounds to me like it's an implementation error. BFX forgot to check the "Limit maximum daily withdrawals to 5%" checkbox during account set up with BitGone
It's because I was under the impression the boxes (addresses) were all drained individually. What kind of daily withdrawal limit woulda prevented that?
The addresses were all in 2/3 multisig. Hacker got BFX's key, signed the transaction (got 1/3), and then forwarded it to BitGone, and then BitGone said yep transaction looks valid i'll sign for this so you got your (2/3). In essence Bitgone signed off on BTC120k of BTC withdrawals from BFXs controlled accounts in 3hrs and didn't see anything wrong with it to stop it.
Or at least how i understand it.
