All multi-sig keys on a single computer: how one phishing attempt can break through a multi-sig defense
The most dangerous illusion with multi-sigs is thinking that because you “need 3 keys,” there must be 3 independent layers of defense. Humanity Protocol’s incident delivered a brutal answer: if multiple signing key secrets are concentrated on the same device, the attacker may still only need to compromise a single failure point.
In Humanity’s official Quantstamp incident post-mortem, the attack began with a phishing email impersonating Bithumb. The malicious attachment established remote access on a single Windows computer and obtained data from the browser wallet, including the private keys.
On June 8, on the Ethereum side, the attacker replaced the cross-chain proxy using the stolen keys to move about 141.18 million H. On the BSC side, they further used three stolen Safe signing keys to take over the ProxyAdmin, minting and selling about 100 million H.
The dumping continued for about 8 hours, during which the public market price of H fell by as much as ~89%. As of the release of the official post-mortem, the ETH in the known attack addresses was over $21 million, while the BNB proceeds were still being calculated. Therefore, treating the rumored “$36 million” as the official final loss is not rigorous.
Now look at the design of
@grvt_io : Web2 login and Web3 asset authorization are clearly separated. Email, passwords, or OAuth primarily handle entering the account, viewing assets, and using non-transactional functions. Any action that could change asset ownership requires a SecureKey signature.
GRVT also allows users to pre-configure a Secondary SecureKey. When the primary Signing SecureKey is suspected to have leaked, users can switch the already-registered backup key to a new Signing SecureKey, reducing the need to keep relying on the original key.
But the Secondary SecureKey is not an automatic immune mechanism. If the primary key and the backup key are stored on the same computer, with the same browser configuration, the same password manager, or the same cloud sync account, they still belong to the same failure domain.
A more reasonable approach is to truly isolate the devices: keep the primary SecureKey in a dedicated device or hardware wallet; after pre-registering the secondary key, store it on a separate clean device and use independent recovery materials. Do not put both sets of seed phrases, exported files, or browser wallet data into the same cloud drive.
#grvt #SelfCustody #Multisig #CryptoSecurity