A poor design of threshold or conditions can give an attacker complete control of the funds.
In DeFi environments, a committed multi-signature would allow leveraged positions to be liquidated.
The event was publicly reported by PeckShieldAlert, a firm specialized in forensic analysis. on-chain and security alerts in DeFi. According to their report, the attacker not only drained the funds, but also maintains operational control over the multi-signature and over a leveraged position in AAVE, while part of the funds in ether (ETH) were laundered via Tornado Cash.
The case analyzed is not exceptional because of its amount, but because of what it reveals about how multisignatures are being used in practice. For years, multisignature (multisig) was presented as the “next level” of security: more signers, more protection. However, experience shows that Security does not come from the number of signatures, but from the design of the custody scheme.
Not all multisignatures offer the same level of blocking. A 1-of-2 and/or 1-of-3 scheme has a single point of failure: compromising a single key is enough to move funds. In that case, multi-signature provides operational redundancy, but not real protection against theft. In contrast, a 2-of-3 multisignature introduces dependency between signers, which requires compromising at least two different environments. That difference is not quantitative, it is structural. In custody, the threshold defines the exposure.
In this incidentthe compromise of a private key was enough for the attacker to drain funds, launder some of them through a mixer, and, even more critically, maintain operational control over the multisignature itself. This multi-signature not only safeguarded assets, but also took control of a leveraged position in a DeFi protocol. The result was a persistent control event, not a one-time attack.
Why is this happening?
Because many multisignatures are designed under weak assumptions: that all signers will always be available, that their keys will not be compromised, that the operating environment is trustworthy. When one of these assumptions fails, multisignature stops being a barrier, but rather a lever.
Among the most common errors are:
- Ill-defined thresholdswhere a key and/or more keys combined with automation may be vulnerable.
- Lack of separation of dutiesusing the same keys for custody, daily operation and/or contract control.
- Lack of temporary blockswhich prevent immediate movements, to have reaction time.
- Dependency on hot infrastructuresuch as servers, browsers and/or environments cloudwhich expose the attack surface.
- Complexity without planningwhere technical layers are added without a conceptual audit of the design.
From a custody expert perspective, the problem is not multisignature, but the approach with which it is designed. A good multi-signature does not only seek to prevent external theft, but also control internal failures, human errors, coercion, absences and/or extreme scenarios.
What could have been done better?
First, separate roles from contexts. A multi-signature intended for passive custody should not be the same one that interacts with DeFi protocols. In another order, incorporate timelockswhich add deliberate friction to sensitive movements. Third, diversify firm environmentspreventing multiple keys from sharing the same attack vector. Room, define escape routeswhich allow funds to be blocked and/or diverted in the event of an unusual event.
In Bitcoin, these practices are much more controlled. The UTXO model, the possibility of defining how, when it is used, with timelocks and multisignatures at the consensus level make the impact of a commitment more limited. Instead, in many DeFi schemes, a multi-signature acts as a master key over complex and dynamic systems.
The lesson is not to abandon multisignature, but to understand it. A well-designed multisignature is a sovereign tool; A poorly designed one is an illusion of custody.
This case does not prove that multisignature is vulnerable. prove that Custody requires design, not shortcuts. Adding signatures without thinking through failure scenarios can create a false sense of protection.
True custody is born when you assume that keys can fail, people can make mistakes, and systems can be attacked. In that context, a good multisignature does not eliminate risk: it manages it. And in custody, that difference is everything.
Disclaimer: The views and opinions expressed in this article belong to its author and do not necessarily reflect those of CriptoNoticias. The author’s opinion is for informational purposes and under no circumstances constitutes an investment recommendation or financial advice.