Ethereum

Safe{Wallet} frontend infrastructure was compromised.

🥁 We need to reduce our dependence on centralized frontends!

We need more independent frontends implementations or, better yet, generative frontends. At least one signer should use a different frontend.

Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains 
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U https://t.co/tlZK2B3jIW

Ben Zhou

Safe{Wallet} frontend infrastructure was compromised.

🥁 We need to reduce our dependence on centralized frontends!

We need more independent frontends implementations or, better yet, generative frontends. At least one signer should use a different frontend.
https://x.com/benbybit/status/1894768736084885929

I built WhatsABI specifically for this thesis: In the future, most transactions will be made from generative interfaces (maybe directly by the wallet). The goal is to make this future easier to build and accelerate it.

callthis.link is an example of a generative transaction builder. Can you do better? I'll help!

A doodler and computerer. I like permissive/permissionless open source, smart contracts, p2p systems, room-scale VR, and NixOS.

shazow.net

Currently: WhatsABI

Why do you think they would target bybit specifically? There must be larger safes out there. 

I suspect they had some intel suggesting that their signing process was lacking.

Pragmatism (Security) at OP Labs.
Prev: ConsenSys & Coinbase.

Attribs: Friendly, curious, introverted, mid-witted.
Chans: /eth-security /maurelian /stoicism




What are some larger safes that do regular transfers initiated/signed by humans?

The ones I'm thinking of are mostly DAO-controlled (transactions proposed and reviewed outside of the frontend).

Unlock Protocol founder.
Previously founder at Superfeedr (RSS push API) acquired by Medium!

https://ouvre-boite.com

every single protocol that "holds" more than some amount of assets should sponsor multiple teams building multiple front-ends....

Software Engineer @ Cadence Design Systems. B4: Stanford EE / Illinois ECE

Which are you referring to?

I'd argue that no single client is safe for high value vaults, there should be client diversity in the signing set itself.

In fact the official frontend should actively encourage use of an alternate frontend for at least one signer.

Safe does have a local client, that presumably you should be using if you're moving $1B+, not the web interface

idk about you but the bybit x safe situation makes me very bullish ENS as it would avoid address substitution attacks

IPFS CIDs + onchain signatures = safety

Need verification of the frontend code through CIDs anchored to the specific address.

You can see what that looks like here: https://t.co/zAkIUzxl0m https://t.co/5RPe0qcc68

Kyle Tut

I have! I'm a fan of IPFS-pinning local-first apps! callthis.eth.limo works this way too (though using IPNS and sadly not via Pinata this time).

But what's preventing an IPFS-pinned update from including the same compromised CDN build that the centralized deploy was using?

This is what independent implementations address.

Everyone is from somewhere. Cofounder and CEO of Pinata. https://www.pinata.cloud/

Haveeeeee you met Pinata?

https://x.com/KyleTut/status/1894793884552532097

what do you think of Blumen?

Decentralized front-ends, with the domain managed by ENS and Safe + automatic replication of the IPFS distribution to multiple services

building Stauro ❇ frontend dev at @ensdomains ❇
prev. @rainbow, @geniexyz, @fleek

I'm all for making it easier to deploy local-first frontends on IPFS/ENS/etc!

But keep in mind, deploying the same vulnerable code on IPFS would not make it safe from the vulnerability. 🫠

Independent implementations that don't share the same supplychain attack surface is what's important.

I'd take two totally separate implementations hosted in separate centralized servers over two identical implementations both on IPFS.

what do you think of Blumen?

Decentralized front-ends, with the domain managed by ENS and Safe + automatic replication of the IPFS distribution to multiple services

https://blumen.stauro.dev