What can a hacker do if they gain access to your stake pool servers?

There is lots of information here explaining how to secure your stake pool servers… But what can a hacker actually do if they manage to gain access to your Stake Pool Servers? It is my understanding that all associated ADA is held in the stakers wallet(s) - so I assume the hacker can’t get to the tokens…? What then is the motivation for hacking a stake pool?

1 Like

If the operator is a little more careless than the guides tell them, there might be skeys on the machine to get funds in those addresses (Ada for the transaction fees and possibly pool rewards and pledge). They will never get access to funds of other delegators, though.

Again, if the operator is careless enough, they could change fixed cost and pool cost to extract some more for a couple of epochs, before running away with it.

They could try to lock out the real operator before that to increase the chance of being able to run away. If they change your password and remove your ssh keys, you would have to reinstall the whole machine, before getting access back. If they also got the login of your hosting company, that could need some longish interaction with that company, before they are locked out and you are in again.

They could just be destructive, take the node offline, format the hard drive, whatever.

Very sophisticated (and therefore probably totally unlikely) attack would be to replace the node software by one that verifies malicious transactions if it is selected to mint a block, do some double spending, … This will be caught by all other full nodes doing full verification of the chain, though. So it would need to be dormant until they have gotten their malware on stake pools representing more than 50% of the global stake. And then it would still be caught by the non-infected ones, which minimises their chances of realising the profits of it.

And like with every other server, they could use it for something not Cardano-related, send spam, distribute illegal material, use it as a bot in a bot network to launch attacks on others.

Ok - so you’re saying they would need skeys to get at the tokens (Ada for the transaction fees and possibly pool rewards and pledge). Is the pledge not held in the SPO’s wallet?

As far as I understand, the Coincashew Guide, for example, they use the payment.addr secured by payment.skey (or a mnemonic seed) for that, but it could be anywhere, sure.

Yes, the pledge is held in the SPO’s wallet. In my case, this is a Ledger hardware wallet.
Payment keys and the stake pool’s cold keys should never be on a server.