Vitalik Buterin pfp
Vitalik Buterin
@vitalik.eth
People who work in large corporate settings where things like this are a risk, do you have any existing rules or standardized best practices for how to minimize the risk? https://twitter.com/RichardHanania/status/1754257428198416393
46 replies
31 recasts
503 reactions
christopher pfp
christopher
@christopher
yes, it’s called approval levels. e.g. you need your manager, whom has a $500,000 approval limit, to approve anything. any more than that you need their manager to approve until you get to the board
1 reply
0 recast
3 reactions
Vitalik Buterin pfp
Vitalik Buterin
@vitalik.eth
Is this a company policy, or is it enforced in code? (whether through multisigs for cryptocurrency, or instructions given ahead of time to the bank for fiat)
2 replies
0 recast
3 reactions
Vitalik Buterin pfp
Vitalik Buterin
@vitalik.eth
If company policy, then how do you deal with the risk of an attack tricking whoever is "actually" the administrator (if you can impersonate 1 person on a video call, you can probably impersonate the entire board)? (And of course, how to deal with rogue administrator risk)
4 replies
1 recast
22 reactions
JStacks🎩🔵 pfp
JStacks🎩🔵
@jstacks
Typically approval flows on financial transactions instead of just a person making a decision. You can have different approval rules depending on the amount of the txn and even exception approvals depending on other characteristics of the txn
0 reply
0 recast
1 reaction
kristin eberth pfp
kristin eberth
@keliz
in my experience it’s usually a question of signing authority, which finance departments will screen for before authorizing a transaction doesn’t preclude social engineering of people with sufficient signing authority, ofc
0 reply
0 recast
1 reaction
sn61 pfp
sn61
@sn61
Insurance against theft exists some of these vectors Each signer (trad bank account, not multisig) should have their own 2fa as well, which raises the bar past simple impersonation in a video call
0 reply
0 recast
0 reaction
Pranav Prakash pfp
Pranav Prakash
@pranav
Sometimes this is prevented at banks levels. We had a similar scenario (although not this much sophisticated) in my last startup and the Bank flagged the transaction and reported to us.
0 reply
0 recast
0 reaction