Humanity Protocol's multisig compromise.

Between June 8 and 9, Humanity Protocol lost about 447 million of its own tokens across two networks. The code was not exploited. Attackers compromised the wallets that controlled it, then used their legitimate access to upgrade the contracts and mint new supply.

A multisig wallet requires several owners to sign before it acts, so one stolen key is not enough. Here the attackers held three of six keys on one chain and three of five on another, enough to clear the bar on each. Those wallets had the power to replace the contract's code, so the attackers swapped in a malicious version.

A multisig only protects you if its keys are held separately. The post-mortem points to one compromised device. When several signing keys sit in the same place, the threshold that was supposed to require multiple independent people protects nothing.