Hack of a single multisig wallet could drain 12 Ethereum L2s of $121M

One wallet has upgrade permissions for 12 Ethereum scaling networks, but Conduit founder Andrew Huang says it can’t transact without three signatures which would take a trio of physical attacks.

Hack of a single multisig wallet could drain 12 Ethereum L2s of $121M

A single multisignature crypto wallet has permissions from 12 different blockchain networks, implying that if this single wallet is ever compromised — all 12 networks could be drained of their funds with a potential $121 million in losses.

The networks include Zora, Aevo, Hypr, Orderly, Ancient8, Lyra, Mode, Pgn, Parallel and Metal — all created using the Conduit rollup creation software, according to data shared to X on May 19 by L2Beat researcher Luca Donno.

However, the wallet can’t transact without three of five signatures from the team, Conduit founder Andrew Huang told Cointelegraph. The private keys to these signatures are stored on hardware wallets, making a compromise only possible by “physically compromising 3/5 individuals,” he said.

Source: Luca Donno

Huang claimed the system will be upgraded “over the coming weeks” to make it a five out of seven multisig instead of three out of five.

Centralization risk will be reduced further once layer 2s move to “stage 2” of decentralization, he said.

The data shows that multiple Conduit-based networks use the same wallet to handle tasks such as upgrading the network’s bridge. L2Beat’s Aevo data states its account has “unlimited upgrade power” and the ability to “potentially [gain] access to all funds.” Aevo has over $72 million in total value locked (TVL).  

Aevo conduit multisig permissions. Source: L2Beat.

Conduit network Lyra has over $20 million TVL and L2Beat lists the same wallet as the “ConduitMultisig” similarly with the potential to gain access “to all funds.”

Lyra permissions. Source: L2Beat.

Identical statements can be found on the pages for other Conduit networks, including Zora, Hpyr, Orderly, Ancient8, Mode, Pgn, Parallel, and Metal. All blockchains have a joint total TVL of approximately $121 million — all tied to a single multisignature wallet.

Related: Vitalik Buterin wants rollups to hit stage 1 decentralization by year-end

Layer 2 networks have dramatically lowered gas fees for Ethereum users, but some critics claim they are too centralized and do not provide a good enough user experience to allow for the mass adoption of crypto.

Layer 2 developers claim such blockchains will become more decentralized as they progress through Ethereum founder Vitalik Buterin’s decentralization plan published in November 2022.

Related Articles

Responses