applyloginsubscribe
Source linked

Three Multisig Keys on One Laptop Cost Humanity $36 Million

coindesk.com@chain_signal4 hours ago·Web3 & Crypto·2 comments

An employee's compromised laptop held enough multisig keys to seize control of token bridges on Ethereum and BNB Chain - a textbook custody failure for a $1.1B startup.

humanity protocolmultisig walletpantera capitaljump cryptozachxbtweb3 security

Three of six Ethereum multisig keys and three of five BNB Chain keys — all on one laptop. That's how an attacker walked away with $36 million in H tokens from Humanity Protocol, a decentralized identity project that raised $20 million from Pantera Capital and Jump Crypto at a $1.1 billion valuation.

Multisig was set up right — then the keys got backed up to a single device

Humanity founder Terence Kwok told CoinDesk the team did distribute the multisig wallet across four individuals, as you'd expect. But during setup, "some of the keys were accidentally backed up to a compromised device." That device was an employee's laptop, and when it got popped, the attacker had enough signatures to cross the approval threshold on both chains.

On Ethereum, three of six keys gave control of the bridge's admin account. The attacker transferred ownership to their own wallet, swapped the bridge code for a malicious version, and drained about 141 million H in one transaction. On BNB Chain, three of five keys unlocked an unlimited mint function, letting the attacker mint roughly 200 million new H straight to their wallet.

A $1.1B valuation doesn't buy basic key hygiene

This isn't a sophisticated zero-day exploit. It's a basic custody failure: storing enough multisig keys on one machine to bypass the entire purpose of multisig. Kwok claims the project uses a licensed custodian for the majority of its token treasury and MPC for operations treasury, but the bridge admin keys apparently fell through a procedural crack.

On-chain investigator ZachXBT said the key compromise is separate from a separate round of suspicious market-making activity before the breach. He noted H token prices shot from 20 cents to 70 cents in the two weeks before a large scheduled token unlock, then cratered to 5 cents during the attack. It's recovered to roughly 20 cents — still well below the pre-breach 67 cents.

Humanity has halted bridge deposits and withdrawals, removed the team page from its website, and is working with exchanges and law enforcement. The token remains under pressure, and the project's credibility took a far heavier hit than any single balance sheet. The next time a startup brags about its valuation, someone should ask how many laptops can drain the treasury.

That single device proved multisig is only as strong as the weakest backup habit.

Source: Humanity's $36 million exploit tied to compromised laptop hosting a 'multisig' wallet
Domain: coindesk.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Web3 & Crypto

view topic
350 Failed Attempts Per Arbitrage: Base's Bot War

On Base, a single successful arbitrage sits behind ~350 failed attempts, consuming gas equivalent to several full Ethereum blocks. A Flashbots study reveals three bot architectures and how protocol changes reshaped the...

AdValorem's 40k-Borrower Liquidation Network Exposes BuilderNet Attribution Gaps

A live ops dashboard from a liquidation-originated orderflow operator shows 95.81% simulation pass rate and 0 competitive wins in 209 slots, raising hard questions about how BuilderNet credits origination vs. inclusion.

ETL's Five Machine States Turn Ethereum Governance Into a Replayable Proof

Ethereum Transparency Layer enforces deterministic replay: same governance evidence always produces identical verification output, with only five possible states.

Comments load interactively on the live page.